Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523732
MD5:	c3d56c65ad5db36d2dccb9cc2ac8577e
SHA1:	ff3510dbdd291084aff47d373ff9ee799a258b90
SHA256:	2896008f0fc7eb35149aa261b1b22f85e5529c6dccfe3c54bb128f2f049bc0c2
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C3D56C65AD5DB36D2DCCB9CC2AC8577E)

chrome.exe (PID: 7312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7528 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1728 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5132 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7280 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1674602298.000000000111F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000002.1675033646.0000000001122000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 7292	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 505sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_76.3.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_76.3.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_82.3.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_76.3.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_76.3.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_82.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_82.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_76.3.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_76.3.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_76.3.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_76.3.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_76.3.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_82.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_76.3.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_76.3.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_76.3.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_82.3.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_76.3.dr	String found in binary or memory: https://www.google.com
Source: chromecache_76.3.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_82.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_76.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_76.3.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.1674585799.0000000001132000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1674034189.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1675102425.000000000113B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1675033646.0000000001122000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_76.3.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49785 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C5EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C5EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C5ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C5ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00C5EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C4AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00C4AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C79576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00C79576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4ffd6d06-d
Source: file.exe, 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c096f413-c
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f3ff2f9a-7
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_678ef23e-1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C4D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00C4D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C41201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C41201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C4E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C4E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C52046	0_2_00C52046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE8060	0_2_00BE8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C48298	0_2_00C48298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1E4FF	0_2_00C1E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1676B	0_2_00C1676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C74873	0_2_00C74873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BECAF0	0_2_00BECAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0CAA0	0_2_00C0CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFCC39	0_2_00BFCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C16DD9	0_2_00C16DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE91C0	0_2_00BE91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFB119	0_2_00BFB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C01394	0_2_00C01394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C01706	0_2_00C01706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0781B	0_2_00C0781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C019B0	0_2_00C019B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE7920	0_2_00BE7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF997D	0_2_00BF997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C07A4A	0_2_00C07A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C07CA7	0_2_00C07CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C01C77	0_2_00C01C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C19EEE	0_2_00C19EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6BE44	0_2_00C6BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C01F32	0_2_00C01F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00BFF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C00A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@32/30@12/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C537B5 GetLastError,FormatMessageW,

0_2_00C537B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C410BF AdjustTokenPrivileges,CloseHandle,		0_2_00C410BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C416C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C551CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C4D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C4D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C5648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C5648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00BE42A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\9465f757-d7d3-4c50-8c68-4dd09a75ca77.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:2312:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1728 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5132 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1728 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5132 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BE42DE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C00A76 push ecx; ret	0_2_00C00A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BED014 push cs; ret	0_2_00BED01E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF1263 pushad ; ret	0_2_00BF1266
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF125F pushad ; ret	0_2_00BF1262
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF1253 pushad ; ret	0_2_00BF1256
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF124F pushad ; ret	0_2_00BF1252
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF124D pushad ; ret	0_2_00BF124E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF1247 pushad ; ret	0_2_00BF124A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C356D8 push eax; ret	0_2_00C356DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C356E9 push esp; ret	0_2_00C356EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C357E1 push ebx; ret	0_2_00C357E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C357E4 push esi; ret	0_2_00C357FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3178B push ss; ret	0_2_00C3179D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31788 push ss; ret	0_2_00C31789
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C35788 push eax; ret	0_2_00C3578A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C35799 push esp; ret	0_2_00C3579A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3179F push ss; ret	0_2_00C317A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C317A3 push ss; ret	0_2_00C317A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C317A8 push ss; ret	0_2_00C317A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C317AC push ss; ret	0_2_00C317AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C317B0 push ss; ret	0_2_00C317B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C357B5 push ebx; ret	0_2_00C357B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C35741 push esp; ret	0_2_00C35742
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3575C push eax; ret	0_2_00C3575E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3576D push esp; ret	0_2_00C3576E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C35707 push eax; ret	0_2_00C35712
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C35705 push ecx; ret	0_2_00C35706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C35730 push eax; ret	0_2_00C35732
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C35801 push esi; ret	0_2_00C35802
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C35805 push esi; ret	0_2_00C35806
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C35809 push esi; ret	0_2_00C3580A

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00BFF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C71C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00C71C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95960

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C4DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C568EE FindFirstFileW,FindClose,	0_2_00C568EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00C5698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C4D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C4D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C59642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C59642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C5979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C59B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00C59B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C55C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00C55C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BE42DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C5EAA2 BlockInput,

0_2_00C5EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C12622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C12622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BE42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C04CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C04CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C40B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00C40B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C12622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C12622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C0083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C009D5 SetUnhandledExceptionFilter,	0_2_00C009D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C00C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C00C21

Source: C:\Users\user\Desktop\file.exe

0_2_00C41201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C22BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C22BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C4B226 SendInput,keybd_event,

0_2_00C4B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00C622DA

Source: C:\Users\user\Desktop\file.exe

0_2_00C40B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C41663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C41663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C00698 cpuid

0_2_00C00698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C58195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00C58195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C3D27A GetUserNameW,

0_2_00C3D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C1BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C1BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00BE42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1674602298.000000000111F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1675033646.0000000001122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7292, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1674602298.000000000111F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1675033646.0000000001122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7292, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C61204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00C61204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C61806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C61806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	11%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	172.217.16.206	true	false	unknown
www3.l.google.com	142.250.185.238	true	false	unknown
play.google.com	142.250.185.78	true	false	unknown
www.google.com	216.58.206.68	true	false	unknown
youtube.com	142.250.185.142	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_76.3.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_76.3.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_82.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_76.3.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_82.3.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_76.3.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_76.3.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_76.3.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_76.3.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_76.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	play.google.com	United States	15169	GOOGLEUS	false
172.217.16.206	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
172.217.18.14	unknown	United States	15169	GOOGLEUS	false
142.250.185.238	www3.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	youtube.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523732
Start date and time:	2024-10-02 00:36:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@32/30@12/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 35 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 142.250.186.78, 64.233.167.84, 34.104.35.123, 142.250.74.195, 142.250.181.227, 142.250.185.106, 142.250.185.170, 172.217.23.106, 172.217.16.202, 142.250.186.106, 142.250.185.138, 216.58.206.74, 142.250.186.138, 142.250.185.74, 142.250.185.234, 142.250.186.42, 216.58.212.170, 142.250.185.202, 142.250.186.170, 172.217.18.106, 172.217.18.10, 142.250.186.74, 216.58.206.42, 142.250.181.234, 93.184.221.240, 192.229.221.95, 142.250.186.163, 64.233.166.84, 142.250.186.110
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://memakers-my.sharepoint.com/:f:/p/saeed/EuiMdoZoPpVNthIaEwKAedkBDFKyUdriWNhHe2RDzQxMdQ?e=5hQMeB&xsdata=MDV8MDJ8cGhlcm1hbkBidXJiYW5rY2EuZ292fDU4NDFjYjVhMjQzNDQ2YjU2ODZmMDhkY2Q3ZjZlNzZlfDY0OGRhZTMxMTgyYjRkYTI5OWVmMjU4MWFiOGU4YmVhfDB8MHw2Mzg2MjI3MDI2NDY5MTMzMDB8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDQwMDAwfHx8&sdata=STFxSjJFWXZ2WnFoSWJsSml1L3V4emhPdHNVTmE5OWJmbjZsSDRKcjlyND0%3d	Get hash	malicious	HTMLPhisher	Browse
	Electronic_Receipt_ATT0001.htm	Get hash	malicious	Unknown	Browse
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse
	http://www.johnhdaniel.com	Get hash	malicious	Unknown	Browse
	https://convertwithwave.com	Get hash	malicious	Unknown	Browse
	http://detection.fyi	Get hash	malicious	NetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, Xmrig	Browse
	https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jg	Get hash	malicious	HTMLPhisher	Browse
	https://dvs.ntoinetted.com/kJthYXSER3TmsdtC7bAT5eXqQ/#geir@byggernfauske.no	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Electronic_Receipt_ATT0001.htm	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	http://www.johnhdaniel.com	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://convertwithwave.com	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	http://detection.fyi	Get hash	malicious	NetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, Xmrig	Browse	4.245.163.56 184.28.90.27
	00#U2800.exe	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jg	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	https://dvs.ntoinetted.com/kJthYXSER3TmsdtC7bAT5eXqQ/#geir@byggernfauske.no	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.245.163.56 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.245.163.56 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
Reputation:	low
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 74

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
Reputation:	low
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698314
Entropy (8bit):	5.595120835898624
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxi7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISxXJ09
MD5:	F82438F9EAD5F57493C673008EED9E09
SHA1:	E4681E68FD66D8C76C6ACBC21E2C45F36FD645BC
SHA-256:	B4B092F54EAAA82BFAA159B8D61FB867B51C3067CBD60F4904A205A11F503250
SHA-512:	89027A7B1B3A080D40411F2E6E3B62BF57AC60879223566E71BD41D900C17051F0A058EFE04F8F1FED5E05DC54617D7A86F83D21BDED0F79347795C8B980B4B2
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791086230020914
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Nfd8j91/N
MD5:	1A3606C746E7B1C949D9078E8E8C1244
SHA1:	56A3EB1E93E61ACD7AAD39DC3526CB60E23651B1
SHA-256:	5F49AE5162183E2EF6F082B29EC99F18DB0212B8ADDB03699B1BFB0AC7869742
SHA-512:	F2D15243311C472331C5F3F083BB6C18D38EC0247A3F3CBAFD96DBA40E4EAE489CDA04176672E39FE3760EF7347596B2A5EAB0FB0125E881EF514475C99863B9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.581089870788196
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'016 bytes
MD5:	c3d56c65ad5db36d2dccb9cc2ac8577e
SHA1:	ff3510dbdd291084aff47d373ff9ee799a258b90
SHA256:	2896008f0fc7eb35149aa261b1b22f85e5529c6dccfe3c54bb128f2f049bc0c2
SHA512:	fd8392ea234d3667a8f17b3ab2b3121b1aee665ef7030c66b6141974e03b3196a36f76c1391bb8ee6d205c1f66165f2c4f2cb6299106f6579cd9f1a8734545d9
SSDEEP:	12288:FqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaTTE:FqDEvCTbMWu7rQYlBQcBiT6rprG8anE
TLSH:	A0159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FC7618 [Tue Oct 1 22:22:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7EBC89FA33h
jmp 00007F7EBC89F33Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7EBC89F51Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7EBC89F4EAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7EBC8A20DDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7EBC8A2128h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7EBC8A2111h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9750	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9750	0x9800	05c5c3185d0f77512415dc3111cc48fc	False	0.29422800164473684	data	5.225835707169579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xa18	data			1.0042569659442724
RT_GROUP_ICON	0xdd1d0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd248	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd25c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd270	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd284	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd360	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 00:36:59.963304996 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:36:59.963334084 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:36:59.963396072 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:36:59.964911938 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:36:59.964922905 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.624212980 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.664489031 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.698690891 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.698712111 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.699249983 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.699312925 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.700349092 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.700661898 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.704787970 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.704854965 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.709775925 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.709784985 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.758183956 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.919435978 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.919492006 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.919549942 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.919593096 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.919636011 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.924035072 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 2, 2024 00:37:00.924052954 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 2, 2024 00:37:00.940047979 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:00.940085888 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:00.940145969 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:00.940515995 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:00.940527916 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.596805096 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.597407103 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:01.597443104 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.597834110 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.597902060 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:01.598527908 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.598576069 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:01.600027084 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:01.600086927 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.600531101 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:01.600538015 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.648844004 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:01.896157026 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.896177053 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.896390915 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:01.896410942 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.896456957 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.898791075 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:01.898799896 CEST	443	49736	172.217.16.206	192.168.2.4
Oct 2, 2024 00:37:01.898837090 CEST	49736	443	192.168.2.4	172.217.16.206
Oct 2, 2024 00:37:03.136621952 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 2, 2024 00:37:04.511218071 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:04.511257887 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:04.511332035 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:04.511641979 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:04.511656046 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:04.827030897 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:04.827071905 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:04.827137947 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:04.829629898 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:04.829648018 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:05.172305107 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:05.172584057 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:05.172612906 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:05.173477888 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:05.173547983 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:05.174513102 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:05.174570084 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:05.222276926 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:05.222295046 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:05.275913000 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:05.498316050 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:05.498379946 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:05.511770964 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:05.511786938 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:05.512020111 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:05.551851988 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:05.725008965 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:05.767412901 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:05.915159941 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:05.915307999 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:05.915368080 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:05.915431976 CEST	49743	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:05.915451050 CEST	443	49743	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:05.951339006 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:05.951375961 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:05.951495886 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:05.951842070 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:05.951855898 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:06.591196060 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:06.591289043 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:06.592628002 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:06.592642069 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:06.592888117 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:06.594167948 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:06.635413885 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:06.867782116 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:06.867868900 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:06.868029118 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:06.869330883 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:06.869350910 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:06.869359970 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 00:37:06.869364977 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 00:37:08.781060934 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:08.781110048 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:08.781197071 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:08.782109022 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:08.782123089 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.510869026 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.511039972 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.511059046 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.511559963 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.511624098 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.512273073 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.512331963 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.513559103 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.513632059 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.513870955 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.513878107 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.555418968 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.828267097 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.828322887 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.828481913 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.828505993 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.828557968 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.829101086 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.829184055 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.834889889 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.834964991 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.840797901 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.840847015 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.840919018 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.840934992 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.840979099 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.846900940 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.846976995 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.853080034 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.853115082 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.853179932 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.853188992 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.853225946 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.915528059 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.915560007 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.915623903 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.915643930 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.915688038 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.917026997 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.917088985 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.923094034 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.923156023 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.923222065 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.923275948 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.929538965 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.929608107 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.935714006 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.935817957 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.935827971 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.942173004 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.942219019 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.942226887 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.948863029 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.948926926 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.948935032 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.949044943 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.949099064 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.971797943 CEST	49756	443	192.168.2.4	142.250.185.238
Oct 2, 2024 00:37:09.971820116 CEST	443	49756	142.250.185.238	192.168.2.4
Oct 2, 2024 00:37:09.979542017 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:09.979635000 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:09.979681969 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:09.979707956 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:09.979732990 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:09.979794025 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:09.980005980 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:09.980041981 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:09.980175018 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:09.980201006 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.611341000 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.611505985 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.611566067 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.611938000 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.612009048 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.612447023 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.612605095 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.612622023 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.612622976 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.612693071 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.613037109 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.613101959 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.613738060 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.613795996 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.613974094 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.614042997 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.614043951 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.614109039 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.614403009 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.614418983 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.614552021 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.614564896 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:10.666850090 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:10.666850090 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.045696974 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.045700073 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.045768023 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.045773029 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.045830965 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.045830965 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.046329975 CEST	49761	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.046386003 CEST	443	49761	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.046725035 CEST	49762	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.046739101 CEST	443	49762	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.047596931 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.047643900 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.047718048 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.048346996 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.048377991 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.048441887 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.049159050 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.049175978 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.049518108 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.049535990 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.687915087 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.688076019 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.688097000 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.688499928 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.688564062 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.689238071 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.689311981 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.689415932 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.689483881 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.689505100 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.689518929 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.689553022 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.693293095 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.693463087 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.693483114 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.693826914 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.693886995 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.694439888 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.694494963 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.694598913 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.694654942 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.694689035 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.694689035 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.694705963 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.742820024 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.742831945 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.742990017 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.743016958 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.789671898 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.789884090 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.910422087 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.911633968 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.911711931 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.912476063 CEST	49765	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.912489891 CEST	443	49765	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.916533947 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.917402029 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.917457104 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.917952061 CEST	49764	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:11.917965889 CEST	443	49764	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:11.972606897 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:12.015403986 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:12.244535923 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:12.244575977 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:12.244607925 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:12.244626999 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:12.244637966 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:12.244647980 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:12.244680882 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:12.245086908 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:12.245134115 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:12.246823072 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:37:12.246836901 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 2, 2024 00:37:16.007482052 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:16.007519960 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:16.007589102 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:16.008997917 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:16.009010077 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:16.802949905 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:16.803029060 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:16.806083918 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:16.806098938 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:16.806343079 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:16.851972103 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:17.525223017 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:17.567414999 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.783807039 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.783828974 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.783835888 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.783843994 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.783874035 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.783946991 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:17.783967972 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.783978939 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.784058094 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:17.784575939 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.784617901 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:17.785067081 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:17.903388977 CEST	49778	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:17.903435946 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:17.904299021 CEST	49778	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:17.904524088 CEST	49778	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:17.904539108 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:18.436394930 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:18.436425924 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:18.436436892 CEST	49773	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:18.436441898 CEST	443	49773	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:18.565063000 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:18.565541983 CEST	49778	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:18.565567017 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:18.565877914 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:18.566210985 CEST	49778	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:18.566268921 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:18.566370964 CEST	49778	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:18.566389084 CEST	49778	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:18.566395044 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:18.896766901 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:18.897907019 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:18.897964001 CEST	49778	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:18.898576975 CEST	49778	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:18.898602009 CEST	443	49778	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:19.488193989 CEST	80	49723	178.79.238.128	192.168.2.4
Oct 2, 2024 00:37:19.488372087 CEST	49723	80	192.168.2.4	178.79.238.128
Oct 2, 2024 00:37:19.488372087 CEST	49723	80	192.168.2.4	178.79.238.128
Oct 2, 2024 00:37:19.493400097 CEST	80	49723	178.79.238.128	192.168.2.4
Oct 2, 2024 00:37:34.266509056 CEST	80	49724	178.79.238.128	192.168.2.4
Oct 2, 2024 00:37:34.266740084 CEST	49724	80	192.168.2.4	178.79.238.128
Oct 2, 2024 00:37:34.266741037 CEST	49724	80	192.168.2.4	178.79.238.128
Oct 2, 2024 00:37:34.272249937 CEST	80	49724	178.79.238.128	192.168.2.4
Oct 2, 2024 00:37:40.246722937 CEST	49781	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.246763945 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:40.246886015 CEST	49781	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.247143030 CEST	49781	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.247157097 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:40.276688099 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.276699066 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:40.276834965 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.277024984 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.277034044 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:40.885062933 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:40.885364056 CEST	49781	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.885396957 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:40.885727882 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:40.886305094 CEST	49781	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.886365891 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:40.886472940 CEST	49781	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.886511087 CEST	49781	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:40.886516094 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.029211998 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.029450893 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.029472113 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.030774117 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.031096935 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.031253099 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.031260014 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.031269073 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.031276941 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.069252968 CEST	49784	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.069314003 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.069444895 CEST	49784	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.069824934 CEST	49784	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.069838047 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.071407080 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.083791018 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.184998035 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.185115099 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.185169935 CEST	49781	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.185496092 CEST	49781	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.185511112 CEST	443	49781	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.331057072 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.332254887 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.332360983 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.332643032 CEST	49782	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.332663059 CEST	443	49782	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.719075918 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.719294071 CEST	49784	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.719307899 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.719624996 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.719871998 CEST	49784	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.719927073 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.719985962 CEST	49784	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.720000982 CEST	49784	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.720009089 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.943229914 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.943947077 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:41.944035053 CEST	49784	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.944282055 CEST	49784	443	192.168.2.4	142.250.185.78
Oct 2, 2024 00:37:41.944298983 CEST	443	49784	142.250.185.78	192.168.2.4
Oct 2, 2024 00:37:55.075081110 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:55.075141907 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:55.075231075 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:55.075753927 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:55.075768948 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:55.845032930 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:55.845171928 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:55.849387884 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:55.849399090 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:55.849704027 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:55.859458923 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:55.907397985 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.165668964 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.165712118 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.165730953 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.165788889 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:56.165819883 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.165837049 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:56.165872097 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:56.167252064 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.167289019 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.167315960 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:56.167325020 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.167346001 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:56.167352915 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.167393923 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:56.170641899 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:56.170661926 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:37:56.170676947 CEST	49785	443	192.168.2.4	4.245.163.56
Oct 2, 2024 00:37:56.170684099 CEST	443	49785	4.245.163.56	192.168.2.4
Oct 2, 2024 00:38:04.556451082 CEST	49787	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:38:04.556519985 CEST	443	49787	216.58.206.68	192.168.2.4
Oct 2, 2024 00:38:04.556637049 CEST	49787	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:38:04.557002068 CEST	49787	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:38:04.557020903 CEST	443	49787	216.58.206.68	192.168.2.4
Oct 2, 2024 00:38:05.189393044 CEST	443	49787	216.58.206.68	192.168.2.4
Oct 2, 2024 00:38:05.189894915 CEST	49787	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:38:05.189927101 CEST	443	49787	216.58.206.68	192.168.2.4
Oct 2, 2024 00:38:05.190259933 CEST	443	49787	216.58.206.68	192.168.2.4
Oct 2, 2024 00:38:05.190562010 CEST	49787	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:38:05.190623045 CEST	443	49787	216.58.206.68	192.168.2.4
Oct 2, 2024 00:38:05.242683887 CEST	49787	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:38:10.865025997 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:10.865073919 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:10.865140915 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:10.865398884 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:10.865412951 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.337508917 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.337635994 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.337738037 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.338721991 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.338773966 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.518171072 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.518618107 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.518630028 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.519135952 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.519438028 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.519526005 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.519612074 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.519623995 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.519639015 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.821962118 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.822628975 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.822695971 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.822815895 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.822830915 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.994741917 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.995105028 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.995162964 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.995498896 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.995804071 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.995871067 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:11.995976925 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.996015072 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:11.996026993 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:12.299196005 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:12.299478054 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:12.299643040 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:12.301008940 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:12.301053047 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:15.105006933 CEST	443	49787	216.58.206.68	192.168.2.4
Oct 2, 2024 00:38:15.105078936 CEST	443	49787	216.58.206.68	192.168.2.4
Oct 2, 2024 00:38:15.105223894 CEST	49787	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:38:28.791915894 CEST	49787	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:38:28.791953087 CEST	443	49787	216.58.206.68	192.168.2.4
Oct 2, 2024 00:38:40.902496099 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:40.902601957 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:40.902707100 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:40.902977943 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:40.903002024 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:41.536688089 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:41.537101030 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:41.537127018 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:41.537492990 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:41.537887096 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:41.537945032 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:41.537965059 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:41.537997961 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:41.538006067 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:41.835728884 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:41.835917950 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:41.835973024 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:41.836328030 CEST	49793	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:41.836368084 CEST	443	49793	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.026493073 CEST	49794	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:43.026586056 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.026683092 CEST	49794	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:43.026958942 CEST	49794	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:43.026995897 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.683300972 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.683585882 CEST	49794	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:43.683629990 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.684006929 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.684416056 CEST	49794	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:43.684479952 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.684598923 CEST	49794	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:43.684634924 CEST	49794	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:43.684645891 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.989069939 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.990092993 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:38:43.990168095 CEST	49794	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:43.990312099 CEST	49794	443	192.168.2.4	172.217.18.14
Oct 2, 2024 00:38:43.990341902 CEST	443	49794	172.217.18.14	192.168.2.4
Oct 2, 2024 00:39:04.613444090 CEST	49795	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:39:04.613488913 CEST	443	49795	216.58.206.68	192.168.2.4
Oct 2, 2024 00:39:04.613553047 CEST	49795	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:39:04.613857031 CEST	49795	443	192.168.2.4	216.58.206.68
Oct 2, 2024 00:39:04.613871098 CEST	443	49795	216.58.206.68	192.168.2.4
Oct 2, 2024 00:39:05.333673000 CEST	443	49795	216.58.206.68	192.168.2.4
Oct 2, 2024 00:39:05.383543015 CEST	49795	443	192.168.2.4	216.58.206.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 00:36:59.895057917 CEST	57480	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:36:59.895212889 CEST	49395	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:36:59.900965929 CEST	53	50838	1.1.1.1	192.168.2.4
Oct 2, 2024 00:36:59.901743889 CEST	53	57480	1.1.1.1	192.168.2.4
Oct 2, 2024 00:36:59.902152061 CEST	53	49395	1.1.1.1	192.168.2.4
Oct 2, 2024 00:36:59.904505014 CEST	53	50168	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:00.927470922 CEST	60737	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:37:00.927601099 CEST	55807	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:37:00.934422016 CEST	53	55807	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:00.934827089 CEST	53	60737	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:00.981393099 CEST	53	52859	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:04.503001928 CEST	52285	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:37:04.503262997 CEST	56062	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:37:04.509757996 CEST	53	52285	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:04.510097027 CEST	53	56062	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:06.244436979 CEST	53	50892	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:08.770756006 CEST	49346	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:37:08.770922899 CEST	49693	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:37:08.779064894 CEST	53	49346	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:08.780227900 CEST	53	49693	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:09.876513958 CEST	62979	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:37:09.876707077 CEST	49974	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:37:09.885452032 CEST	53	49974	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:09.885493994 CEST	53	62979	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:12.387917042 CEST	53	63815	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:17.906400919 CEST	53	60300	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:20.171458006 CEST	138	138	192.168.2.4	192.168.2.255
Oct 2, 2024 00:37:36.643400908 CEST	53	61742	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:59.264184952 CEST	53	54164	1.1.1.1	192.168.2.4
Oct 2, 2024 00:37:59.800369978 CEST	53	58141	1.1.1.1	192.168.2.4
Oct 2, 2024 00:38:07.895442963 CEST	53	63779	1.1.1.1	192.168.2.4
Oct 2, 2024 00:38:10.857079029 CEST	60399	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:38:10.857225895 CEST	54172	53	192.168.2.4	1.1.1.1
Oct 2, 2024 00:38:10.864363909 CEST	53	60399	1.1.1.1	192.168.2.4
Oct 2, 2024 00:38:10.864626884 CEST	53	54172	1.1.1.1	192.168.2.4
Oct 2, 2024 00:38:28.799439907 CEST	53	58098	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 00:36:59.895057917 CEST	192.168.2.4	1.1.1.1	0x51d7	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:36:59.895212889 CEST	192.168.2.4	1.1.1.1	0x9d16	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 00:37:00.927470922 CEST	192.168.2.4	1.1.1.1	0x4db5	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.927601099 CEST	192.168.2.4	1.1.1.1	0xa65d	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 00:37:04.503001928 CEST	192.168.2.4	1.1.1.1	0xb921	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:04.503262997 CEST	192.168.2.4	1.1.1.1	0x28ca	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 00:37:08.770756006 CEST	192.168.2.4	1.1.1.1	0xf349	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:08.770922899 CEST	192.168.2.4	1.1.1.1	0x5cbd	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 00:37:09.876513958 CEST	192.168.2.4	1.1.1.1	0xa64a	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:09.876707077 CEST	192.168.2.4	1.1.1.1	0x2fb0	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 00:38:10.857079029 CEST	192.168.2.4	1.1.1.1	0x7d40	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:38:10.857225895 CEST	192.168.2.4	1.1.1.1	0xf9b1	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 00:36:59.901743889 CEST	1.1.1.1	192.168.2.4	0x51d7	No error (0)	youtube.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:36:59.902152061 CEST	1.1.1.1	192.168.2.4	0x9d16	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 00:37:00.934422016 CEST	1.1.1.1	192.168.2.4	0xa65d	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934422016 CEST	1.1.1.1	192.168.2.4	0xa65d	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:00.934827089 CEST	1.1.1.1	192.168.2.4	0x4db5	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:04.509757996 CEST	1.1.1.1	192.168.2.4	0xb921	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:04.510097027 CEST	1.1.1.1	192.168.2.4	0x28ca	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 00:37:08.779064894 CEST	1.1.1.1	192.168.2.4	0xf349	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 00:37:08.779064894 CEST	1.1.1.1	192.168.2.4	0xf349	No error (0)	www3.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:37:08.780227900 CEST	1.1.1.1	192.168.2.4	0x5cbd	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 00:37:09.885493994 CEST	1.1.1.1	192.168.2.4	0xa64a	No error (0)	play.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 00:38:10.864363909 CEST	1.1.1.1	192.168.2.4	0x7d40	No error (0)	play.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	142.250.185.142	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:00 UTC	851	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 22:37:00 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Tue, 01 Oct 2024 22:37:00 GMT Date: Tue, 01 Oct 2024 22:37:00 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	172.217.16.206	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:01 UTC	869	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 22:37:01 UTC	2656	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 22:37:01 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Tue, 01-Oct-2024 23:07:01 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=GUPtDA6-E4U; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=SJDpo4QikuU; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 22:37:01 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgUQ%3D%3D; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 22:37:01 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:05 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 22:37:05 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=151725 Date: Tue, 01 Oct 2024 22:37:05 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:06 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 22:37:06 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=151668 Date: Tue, 01 Oct 2024 22:37:06 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-01 22:37:06 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	142.250.185.238	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:09 UTC	1236	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-876195964&timestamp=1727822227278 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 22:37:09 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-raaK-jyjlPPRwYzrKhpwXg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 22:37:09 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmLw1ZBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh2Pq54_b2QRmzLx6nUlJLym_MD4zJTWvJLOkMiU_NzEzLzk_Pzsztbg4tagstSjeyMDIxMDSyEjPwCK-wAAA7kMtww" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 72 61 61 4b 2d 6a 79 6a 6c 50 50 52 77 59 7a 72 4b 68 70 77 58 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="raaK-jyjlPPRwYzrKhpwXg">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-01 22:37:09 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49762	142.250.185.78	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:10 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 22:37:11 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:37:10 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49761	142.250.185.78	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:10 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 22:37:11 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:37:10 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49765	142.250.185.78	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:11 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 505 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 22:37:11 UTC	505	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 32 32 32 38 34 38 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727822228480",null,null,null
2024-10-01 22:37:11 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=Pum39QOk81L4zlf6Tf8Q-f35NzcnHe1BUFcETVWn6Uq7E4xAhev_3Vv8bQveBGJfyia1_cc0-sN1pJnaU5NZviPqXjMlteCqDhkoEeGCLKfFo7F53_p4-bzuW1aS3BQ2ZnZ-qGP5MFnztHm-0PrGsTp142GEBBNjH_PM7l9a9z-qNCVPK_Y; expires=Wed, 02-Apr-2025 22:37:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:37:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 22:37:11 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 22:37:11 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:37:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49764	142.250.185.78	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:11 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 505 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 22:37:11 UTC	505	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 32 32 32 38 33 38 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727822228388",null,null,null
2024-10-01 22:37:11 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=P90Z9-rXxK8_-E7wu12zzGdvRWxsnY-_leVqqQoS-pzJEQClsVY9q37cPJQwB3Clkppog8Xo3b4nQUyA0S0tdsBntGuTqKWxk61G_KZvzykkWuVE7dfrgb4ExK0B_4VDfDKKhoyy_25j323J--R478_pDvzbMPDCnKJaoZSfC8OJpCNyDQ; expires=Wed, 02-Apr-2025 22:37:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:37:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 22:37:11 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 22:37:11 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:37:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	216.58.206.68	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:11 UTC	1213	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=P90Z9-rXxK8_-E7wu12zzGdvRWxsnY-_leVqqQoS-pzJEQClsVY9q37cPJQwB3Clkppog8Xo3b4nQUyA0S0tdsBntGuTqKWxk61G_KZvzykkWuVE7dfrgb4ExK0B_4VDfDKKhoyy_25j323J--R478_pDvzbMPDCnKJaoZSfC8OJpCNyDQ
2024-10-01 22:37:12 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 01 Oct 2024 17:34:06 GMT Expires: Wed, 09 Oct 2024 17:34:06 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 18186 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 22:37:12 UTC	684	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-01 22:37:12 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<
2024-10-01 22:37:12 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-01 22:37:12 UTC	1390	IN	Data Raw: 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBF!4I
2024-10-01 22:37:12 UTC	576	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49773	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:17 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gGA4BVfGXFGsMWA&MD=2z9Zt9P4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 22:37:17 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 3e2a1f37-dfe1-4ad7-bd74-b8711f21ad04 MS-RequestId: 39fa14d7-2fa2-4e9b-be31-364a498702c6 MS-CV: JBpTjCzDMEmXY6w1.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 22:37:17 GMT Connection: close Content-Length: 24490
2024-10-01 22:37:17 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 22:37:17 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49778	142.250.185.78	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:18 UTC	1298	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1218 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=P90Z9-rXxK8_-E7wu12zzGdvRWxsnY-_leVqqQoS-pzJEQClsVY9q37cPJQwB3Clkppog8Xo3b4nQUyA0S0tdsBntGuTqKWxk61G_KZvzykkWuVE7dfrgb4ExK0B_4VDfDKKhoyy_25j323J--R478_pDvzbMPDCnKJaoZSfC8OJpCNyDQ
2024-10-01 22:37:18 UTC	1218	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 32 32 32 32 36 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727822226000",null,null,null,
2024-10-01 22:37:18 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=YPpcQOiT8cPYyrirgHUQOavzSCcCSiYY_O9TmoUACVANyMxNzkoWd7VpJe0pwzKIuRiRdrWh5551SBXDIq8QQfMw2piHhPKSMsAxcd1qwewhy1a2ZJn-0PrBe_D1MBeCmJnw7kWjNLhBT2UgLKOpBZTgt1WIU1dThk4WvIWGRAiapp9dM7iYuyrzQQ; expires=Wed, 02-Apr-2025 22:37:18 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:37:18 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 22:37:18 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 22:37:18 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:37:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49781	142.250.185.78	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:40 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1183 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=YPpcQOiT8cPYyrirgHUQOavzSCcCSiYY_O9TmoUACVANyMxNzkoWd7VpJe0pwzKIuRiRdrWh5551SBXDIq8QQfMw2piHhPKSMsAxcd1qwewhy1a2ZJn-0PrBe_D1MBeCmJnw7kWjNLhBT2UgLKOpBZTgt1WIU1dThk4WvIWGRAiapp9dM7iYuyrzQQ
2024-10-01 22:37:40 UTC	1183	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 32 32 35 38 37 35 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727822258758",null,null,null
2024-10-01 22:37:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:37:41 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 22:37:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:37:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49782	142.250.185.78	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:41 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1194 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=YPpcQOiT8cPYyrirgHUQOavzSCcCSiYY_O9TmoUACVANyMxNzkoWd7VpJe0pwzKIuRiRdrWh5551SBXDIq8QQfMw2piHhPKSMsAxcd1qwewhy1a2ZJn-0PrBe_D1MBeCmJnw7kWjNLhBT2UgLKOpBZTgt1WIU1dThk4WvIWGRAiapp9dM7iYuyrzQQ
2024-10-01 22:37:41 UTC	1194	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 32 32 35 38 37 38 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727822258789",null,null,null
2024-10-01 22:37:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:37:41 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 22:37:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:37:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49784	142.250.185.78	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:41 UTC	1289	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1037 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=YPpcQOiT8cPYyrirgHUQOavzSCcCSiYY_O9TmoUACVANyMxNzkoWd7VpJe0pwzKIuRiRdrWh5551SBXDIq8QQfMw2piHhPKSMsAxcd1qwewhy1a2ZJn-0PrBe_D1MBeCmJnw7kWjNLhBT2UgLKOpBZTgt1WIU1dThk4WvIWGRAiapp9dM7iYuyrzQQ
2024-10-01 22:37:41 UTC	1037	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-01 22:37:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:37:41 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 22:37:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:37:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49785	4.245.163.56	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:37:55 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gGA4BVfGXFGsMWA&MD=2z9Zt9P4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 22:37:56 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: a97c8a13-a5c8-4023-9936-f9b7c5edf0d1 MS-RequestId: d965d17e-efff-4a34-9556-8b2ba7367910 MS-CV: w4WCnLOzskKbxNOw.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 22:37:55 GMT Connection: close Content-Length: 30005
2024-10-01 22:37:56 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 22:37:56 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49789	172.217.18.14	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:38:11 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1258 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=YPpcQOiT8cPYyrirgHUQOavzSCcCSiYY_O9TmoUACVANyMxNzkoWd7VpJe0pwzKIuRiRdrWh5551SBXDIq8QQfMw2piHhPKSMsAxcd1qwewhy1a2ZJn-0PrBe_D1MBeCmJnw7kWjNLhBT2UgLKOpBZTgt1WIU1dThk4WvIWGRAiapp9dM7iYuyrzQQ
2024-10-01 22:38:11 UTC	1258	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 32 32 38 39 33 37 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727822289377",null,null,null
2024-10-01 22:38:11 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:38:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 22:38:11 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:38:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49791	172.217.18.14	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:38:11 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1237 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=YPpcQOiT8cPYyrirgHUQOavzSCcCSiYY_O9TmoUACVANyMxNzkoWd7VpJe0pwzKIuRiRdrWh5551SBXDIq8QQfMw2piHhPKSMsAxcd1qwewhy1a2ZJn-0PrBe_D1MBeCmJnw7kWjNLhBT2UgLKOpBZTgt1WIU1dThk4WvIWGRAiapp9dM7iYuyrzQQ
2024-10-01 22:38:11 UTC	1237	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 32 32 38 39 38 30 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727822289802",null,null,null
2024-10-01 22:38:12 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:38:12 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 22:38:12 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:38:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49793	172.217.18.14	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:38:41 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1259 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=YPpcQOiT8cPYyrirgHUQOavzSCcCSiYY_O9TmoUACVANyMxNzkoWd7VpJe0pwzKIuRiRdrWh5551SBXDIq8QQfMw2piHhPKSMsAxcd1qwewhy1a2ZJn-0PrBe_D1MBeCmJnw7kWjNLhBT2UgLKOpBZTgt1WIU1dThk4WvIWGRAiapp9dM7iYuyrzQQ
2024-10-01 22:38:41 UTC	1259	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 32 33 31 39 34 32 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727822319423",null,null,null
2024-10-01 22:38:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:38:41 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 22:38:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:38:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49794	172.217.18.14	443	7528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 22:38:43 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1099 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=YPpcQOiT8cPYyrirgHUQOavzSCcCSiYY_O9TmoUACVANyMxNzkoWd7VpJe0pwzKIuRiRdrWh5551SBXDIq8QQfMw2piHhPKSMsAxcd1qwewhy1a2ZJn-0PrBe_D1MBeCmJnw7kWjNLhBT2UgLKOpBZTgt1WIU1dThk4WvIWGRAiapp9dM7iYuyrzQQ
2024-10-01 22:38:43 UTC	1099	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 32 32 33 32 31 35 34 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727822321547",null,null,null
2024-10-01 22:38:43 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 22:38:43 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 22:38:43 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 22:38:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:36:57
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xbe0000
File size:	918'016 bytes
MD5 hash:	C3D56C65AD5DB36D2DCCB9CC2AC8577E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1674602298.000000000111F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000002.1675033646.0000000001122000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:36:57
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	18:36:58
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1728 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	18:37:08
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5132 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	18:37:08
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1752,i,13866675433473403451,18282274765664296240,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:37:20
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1435
Total number of Limit Nodes:	39

Executed Functions

Function 00BE42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00BE430D

Part of subcall function 00BE6B57: _wcslen.LIBCMT ref: 00BE6B6A

GetCurrentProcess.KERNEL32(?,00C7CB64,00000000,?,?), ref: 00BE4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00BE4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00BE4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BE4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00BE4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00BE447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00BE44A0

Strings

GetNativeSystemInfo, xrefs: 00BE4460
|O, xrefs: 00C236F8
kernel32.dll, xrefs: 00BE444F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: ed234a70c0955bc80695c7d5317c1711bec988c637a6b3b53d08cc67d7895caf
Instruction ID: 3d60cf7039667dca41fe9a6acf66eaad76cb13dbdcb73128cbb296f0aca7fc86
Opcode Fuzzy Hash: ed234a70c0955bc80695c7d5317c1711bec988c637a6b3b53d08cc67d7895caf
Instruction Fuzzy Hash: 68A1B36591A3D0DFCB11C76A7CA139D7FE47B26700F8C4AA9E88193B72F7244648CB21

Function 00BE42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00BE50AA,?,?,00000000,00000000), ref: 00BE42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BE50AA,?,?,00000000,00000000), ref: 00BE42C9
LoadResource.KERNEL32(?,00000000,?,?,00BE50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BE4F20), ref: 00C235BE
SizeofResource.KERNEL32(?,00000000,?,?,00BE50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BE4F20), ref: 00C235D3
LockResource.KERNEL32(00BE50AA,?,?,00BE50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BE4F20,?), ref: 00C235E6

Strings

SCRIPT, xrefs: 00BE42BF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f0c4c80e59a1a79612cf6194e20081123b9b550549c0d8228d577e360d8f7cbb
Instruction ID: d2d7779c8b68814b1521b62d7d8e79f3d1616fa51a27ed8b81ab42d5ecd16124
Opcode Fuzzy Hash: f0c4c80e59a1a79612cf6194e20081123b9b550549c0d8228d577e360d8f7cbb
Instruction Fuzzy Hash: FB118E70200741BFDB258B66DC88F2B7BB9EBC5B51F1481ADF516D66A0DB71DC448620

Function 00C22BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00BE2B6B

Part of subcall function 00BE3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CB1418,?,00BE2E7F,?,?,?,00000000), ref: 00BE3A78

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00CA2224), ref: 00C22C10
ShellExecuteW.SHELL32(00000000,?,?,00CA2224), ref: 00C22C17

Strings

runas, xrefs: 00C22C0B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 3b0f49338f589a01ac87c26875c661913fbb70685a4e150a2abf42be859d9783
Instruction ID: 36263a1e010e5f32ca568ca780be4532e875b65379068f740f2c6e294e33ef59
Opcode Fuzzy Hash: 3b0f49338f589a01ac87c26875c661913fbb70685a4e150a2abf42be859d9783
Instruction Fuzzy Hash: F411D6311083C16AC714FF72D895EBE77E89F91750F5814ADF586170A2DF218A4A8712

Function 00C4D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C4D501
Process32FirstW.KERNEL32(00000000,?), ref: 00C4D50F
Process32NextW.KERNEL32(00000000,?), ref: 00C4D52F
CloseHandle.KERNELBASE(00000000), ref: 00C4D5DC

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0203ae68d1f7135f9bfd5a34ed65a6dfb320245ffd95624dafab37eae63d9c49
Instruction ID: c7aaecfa40471205b9f53c6c0a594c3a3b0a52dd0768099c560e72d9d048a1ab
Opcode Fuzzy Hash: 0203ae68d1f7135f9bfd5a34ed65a6dfb320245ffd95624dafab37eae63d9c49
Instruction Fuzzy Hash: 2E31B1711083419FD300EF54D881BAFBBE8FF99354F50096DF586821A1EB71AA88CB92

Function 00C4DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00C25222), ref: 00C4DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00C4DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00C4DBEE
FindClose.KERNEL32(00000000), ref: 00C4DBFA

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: a79656d34c78b61ded09ef15c55693a769cace17e4175633ea7de6f97fbb7a82
Instruction ID: 92a36e9ba801b272f0309e9999a822b2e9b083b1be7e9b8a0e36408067ba8b2c
Opcode Fuzzy Hash: a79656d34c78b61ded09ef15c55693a769cace17e4175633ea7de6f97fbb7a82
Instruction Fuzzy Hash: DCF0A0308109115783217BB8AC8DAAE377CAF02334B50471AF83AC20F0EBB05AD48695

Function 00C04CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C128E9,?,00C04CBE,00C128E9,00CA88B8,0000000C,00C04E15,00C128E9,00000002,00000000,?,00C128E9), ref: 00C04D09
TerminateProcess.KERNEL32(00000000,?,00C04CBE,00C128E9,00CA88B8,0000000C,00C04E15,00C128E9,00000002,00000000,?,00C128E9), ref: 00C04D10
ExitProcess.KERNEL32 ref: 00C04D22

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ae368dc09307e95e9836094d92d2993661a5935c62da9f688a6cd85174a66c2d
Instruction ID: 96a144bfef9fa2ae3e58f19556ea628c3700cbfa037a1d00ce62c10574177e5f
Opcode Fuzzy Hash: ae368dc09307e95e9836094d92d2993661a5935c62da9f688a6cd85174a66c2d
Instruction Fuzzy Hash: 93E0B671000249BBCF15AF54DD49B9D3F69FB41B95B104018FD199A172CB35DE82DA80

Function 00C6AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00C6B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C6B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C6B1D4
_wcslen.LIBCMT ref: 00C6B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C6B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C6B236
_wcslen.LIBCMT ref: 00C6B332

Part of subcall function 00C505A7: GetStdHandle.KERNEL32(000000F6), ref: 00C505C6

_wcslen.LIBCMT ref: 00C6B34B
_wcslen.LIBCMT ref: 00C6B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C6B3B6
GetLastError.KERNEL32(00000000), ref: 00C6B407
CloseHandle.KERNEL32(?), ref: 00C6B439
CloseHandle.KERNEL32(00000000), ref: 00C6B44A
CloseHandle.KERNEL32(00000000), ref: 00C6B45C
CloseHandle.KERNEL32(00000000), ref: 00C6B46E
CloseHandle.KERNEL32(?), ref: 00C6B4E3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 53a5f037d25e2835e9672fae5e5306bad3b1fe058938b11d098692b8d259f24c
Instruction ID: ce17656235ae3e44a06d3a3fcb87a27114bad1fe9694589bc41f70b211078f22
Opcode Fuzzy Hash: 53a5f037d25e2835e9672fae5e5306bad3b1fe058938b11d098692b8d259f24c
Instruction Fuzzy Hash: 8DF1CD716083409FC724EF25C891B2FBBE4AF85314F14846DF9998B2A2DB30ED85CB52

Function 00BED730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00BED807
timeGetTime.WINMM ref: 00BEDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BEDB28
TranslateMessage.USER32(?), ref: 00BEDB7B
DispatchMessageW.USER32(?), ref: 00BEDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BEDB9F
Sleep.KERNEL32(0000000A), ref: 00BEDBB1

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: bf21fb74300c1993db323f561e615b1263234a92b3922e942982603b7b3330b4
Instruction ID: 6181415c6161465e3803ba41f0dd6785feab9720b44a6ed1d58fa8f0977c1591
Opcode Fuzzy Hash: bf21fb74300c1993db323f561e615b1263234a92b3922e942982603b7b3330b4
Instruction Fuzzy Hash: 8142F430608382DFDB24CF26C884B7AB7E0FF45314F5446ADE96687291D7B4E984DB92

Function 00BE2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BE2D07
RegisterClassExW.USER32(00000030), ref: 00BE2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BE2D42
InitCommonControlsEx.COMCTL32(?), ref: 00BE2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BE2D6F
LoadIconW.USER32(000000A9), ref: 00BE2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BE2D94

Strings

TaskbarCreated, xrefs: 00BE2D37
0, xrefs: 00BE2CE9
+, xrefs: 00BE2CF0
AutoIt v3 GUI, xrefs: 00BE2D23

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 443acc1bfaa4b2c788c49fadc9b653392bcb5a9e7a3f76b56fcd37d5fabe5908
Instruction ID: 9f326ecbf3738f3be42ce9936d21867687b0fc4cddda00872fc636e1a9802bee
Opcode Fuzzy Hash: 443acc1bfaa4b2c788c49fadc9b653392bcb5a9e7a3f76b56fcd37d5fabe5908
Instruction Fuzzy Hash: 1B21F7B1D01349AFDB00DFA4EC99BDDBBB8FB08701F14821AF915A62A0D7B10584CF91

Function 00C2065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C2039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C20704,?,?,00000000,?,00C20704,00000000,0000000C), ref: 00C203B7

GetLastError.KERNEL32 ref: 00C2076F
__dosmaperr.LIBCMT ref: 00C20776
GetFileType.KERNELBASE(00000000), ref: 00C20782
GetLastError.KERNEL32 ref: 00C2078C
__dosmaperr.LIBCMT ref: 00C20795
CloseHandle.KERNEL32(00000000), ref: 00C207B5
CloseHandle.KERNEL32(?), ref: 00C208FF
GetLastError.KERNEL32 ref: 00C20931
__dosmaperr.LIBCMT ref: 00C20938

Strings

H, xrefs: 00C208BD

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 3b6110ad7aa95be1a1243097bc6c65dd75da52dcf241cb2d0e47e35bdb0ae011
Instruction ID: cf406549cc10132e79d8418751eb40d831cdf764ddd1ceb54dd9a418045d453c
Opcode Fuzzy Hash: 3b6110ad7aa95be1a1243097bc6c65dd75da52dcf241cb2d0e47e35bdb0ae011
Instruction Fuzzy Hash: EDA11832A041188FDF19EF68EC51BAE7BA0AB46320F24015EF8159B3E2D7319D53DB91

Function 00BE344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BE3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CB1418,?,00BE2E7F,?,?,?,00000000), ref: 00BE3A78

Part of subcall function 00BE3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BE3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BE356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C2318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C231CE
RegCloseKey.ADVAPI32(?), ref: 00C23210
_wcslen.LIBCMT ref: 00C23277
_wcslen.LIBCMT ref: 00C23286

Strings

\Include\, xrefs: 00BE3527
\, xrefs: 00C2328C
Software\AutoIt v3\AutoIt, xrefs: 00BE3560
Include, xrefs: 00C23184, 00C231C5

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 79db31e88f9a172b76f212ca9186c53e16eda470c7406a40d9da6885c548e7f1
Instruction ID: 72d0cf4a467dca1944ebdd60500117299a1dc6b44cdd0f9115349799faa09469
Opcode Fuzzy Hash: 79db31e88f9a172b76f212ca9186c53e16eda470c7406a40d9da6885c548e7f1
Instruction Fuzzy Hash: A67158714043419EC314EF66E885AAEBBECFF99740F404A2EF555931B1EB349A48CB62

Function 00BE2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BE2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00BE2B9D
LoadIconW.USER32(00000063), ref: 00BE2BB3
LoadIconW.USER32(000000A4), ref: 00BE2BC5
LoadIconW.USER32(000000A2), ref: 00BE2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BE2BEF
RegisterClassExW.USER32(?), ref: 00BE2C40

Part of subcall function 00BE2CD4: GetSysColorBrush.USER32(0000000F), ref: 00BE2D07
Part of subcall function 00BE2CD4: RegisterClassExW.USER32(00000030), ref: 00BE2D31
Part of subcall function 00BE2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BE2D42
Part of subcall function 00BE2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00BE2D5F
Part of subcall function 00BE2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BE2D6F
Part of subcall function 00BE2CD4: LoadIconW.USER32(000000A9), ref: 00BE2D85
Part of subcall function 00BE2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BE2D94

Strings

AutoIt v3, xrefs: 00BE2C2F
#, xrefs: 00BE2C16
0, xrefs: 00BE2C0F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f21a94d3542fe7b8e3d303a59421dd3d350f2bd7b2e275fad75d44e82f3e8d62
Instruction ID: 1d22e6c496f37a6207adaf4dd69e1c952f97448ecc4c1accad2480a75c7986a4
Opcode Fuzzy Hash: f21a94d3542fe7b8e3d303a59421dd3d350f2bd7b2e275fad75d44e82f3e8d62
Instruction Fuzzy Hash: 21212F71E00354ABDB109FA5ECA5BAD7FF4FB48B50F58415AEA04A66B0E7B10940CF90

Function 00BE3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00BE316A,?,?), ref: 00BE31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00BE316A,?,?), ref: 00BE3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BE3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00BE316A,?,?), ref: 00BE3232
CreatePopupMenu.USER32 ref: 00BE3246
PostQuitMessage.USER32(00000000), ref: 00BE3267

Strings

TaskbarCreated, xrefs: 00BE322D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 45c78923792ddc27d0c1d8e0a1ec679c5b4c48515c4a91a7cffa411b3f47f626
Instruction ID: e8afba24972c540351695b0b602629835ba12c955cac7d4e7e600a4d955fc39d
Opcode Fuzzy Hash: 45c78923792ddc27d0c1d8e0a1ec679c5b4c48515c4a91a7cffa411b3f47f626
Instruction Fuzzy Hash: 7F416931204280A7DF141B399C9DBBD37D9EB05B41F4802ADFA56971A1DB71CF40D762

Function 00BE1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BE1459
CoUninitialize.COMBASE ref: 00BE14F8
UnregisterHotKey.USER32(?), ref: 00BE16DD
DestroyWindow.USER32(?), ref: 00C224B9
FreeLibrary.KERNEL32(?), ref: 00C2251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C2254B

Strings

close all, xrefs: 00BE1454

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 196a750bdf3eced285c69d608d203289515b5eccbb2af18ac7f17cf08f5da7d9
Instruction ID: b1429f1518026c21e7da26860738bc9cb1e67ce0bece475a67a89cf4c8ef3fa5
Opcode Fuzzy Hash: 196a750bdf3eced285c69d608d203289515b5eccbb2af18ac7f17cf08f5da7d9
Instruction Fuzzy Hash: 11D18D71701262DFCB29EF19D895A29F7E0BF04700F2486EDE54A6B652CB30AD56CF50

Function 00BE2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BE2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BE2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00BE1CAD,?), ref: 00BE2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00BE1CAD,?), ref: 00BE2CCF

Strings

AutoIt v3, xrefs: 00BE2C89, 00BE2C8E, 00BE2C8F
edit, xrefs: 00BE2CAC

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c9c967a5b261ece003ec898ccb4cc16c91507a22a07f94992cdf1e0d9b1b1196
Instruction ID: f910134bcf29052d0909fa78b246cd7d970a86e6919dc7bf633e13f582641acb
Opcode Fuzzy Hash: c9c967a5b261ece003ec898ccb4cc16c91507a22a07f94992cdf1e0d9b1b1196
Instruction Fuzzy Hash: 98F03A755402907AEB301B23AC58F7B2EBDD7C6F51F58411EFE04A21B0E6614840DBB0

Function 00BE3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BE3B0F,SwapMouseButtons,00000004,?), ref: 00BE3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BE3B0F,SwapMouseButtons,00000004,?), ref: 00BE3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00BE3B0F,SwapMouseButtons,00000004,?), ref: 00BE3B83

Strings

Control Panel\Mouse, xrefs: 00BE3B3E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8cef95d95e79b9ecb082af71cecf4ec17990ae1af179a6cc98b0f34d82be278c
Instruction ID: aec8a74383dd3589fd4164130e081e40dc2d59cdcfab254bc2c11298c0445ede
Opcode Fuzzy Hash: 8cef95d95e79b9ecb082af71cecf4ec17990ae1af179a6cc98b0f34d82be278c
Instruction Fuzzy Hash: A8112AB5510248FFDB208FA6DC88AAEB7F8EF44B84B108599E806D7110D3319E4097A0

Function 00BE3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C233A2

Part of subcall function 00BE6B57: _wcslen.LIBCMT ref: 00BE6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BE3A04

Strings

Line: , xrefs: 00C233EB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9939dac31121ce3b5d3371a6290580d44494bed46adf5c77ce24b4290c42aa42
Instruction ID: 4d8c75b7a0d4b704bbfbacaf46f2eae05b9904640988cb18f5378664555efd46
Opcode Fuzzy Hash: 9939dac31121ce3b5d3371a6290580d44494bed46adf5c77ce24b4290c42aa42
Instruction Fuzzy Hash: CB31D471408384AAC725EB21DC59BEFB7D8AF40B10F14466EF599830E1EB749B49C7C6

Function 00BFFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C00668

Part of subcall function 00C032A4: RaiseException.KERNEL32(?,?,?,00C0068A,?,00CB1444,?,?,?,?,?,?,00C0068A,00BE1129,00CA8738,00BE1129), ref: 00C03304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C00685

Strings

Unknown exception, xrefs: 00C00692

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b468bd9c9db186ac10a49346b75d5e6ab24b1bf27842086725f600ee4990360f
Instruction ID: eec95436b15205833f7189803c8f7516c78810c6f0ca447cbc1aad3f2eedc79f
Opcode Fuzzy Hash: b468bd9c9db186ac10a49346b75d5e6ab24b1bf27842086725f600ee4990360f
Instruction Fuzzy Hash: 48F0C23890060EB7CB00BA65DC46EAE7BADAE00350F704571BA24D65D2EF72EB69D590

Function 00BE10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BE1BF4
Part of subcall function 00BE1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BE1BFC
Part of subcall function 00BE1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BE1C07
Part of subcall function 00BE1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BE1C12
Part of subcall function 00BE1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BE1C1A
Part of subcall function 00BE1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BE1C22

Part of subcall function 00BE1B4A: RegisterWindowMessageW.USER32(00000004,?,00BE12C4), ref: 00BE1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BE136A
OleInitialize.OLE32 ref: 00BE1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C224AB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 02429eef9f1864f34a80cf52127c90f33dc5c7d88c095ee54e59c5bacf34e7ee
Instruction ID: 938c1836aaa7e2e7ab412ef0346b057127176f0374e0f447237a8e934414348f
Opcode Fuzzy Hash: 02429eef9f1864f34a80cf52127c90f33dc5c7d88c095ee54e59c5bacf34e7ee
Instruction Fuzzy Hash: 6271B0B49112418EC7A4DF7AA86579D3BE4FB88340BED876EDC0AD72A1EB305449CF50

Function 00C186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C185CC,?,00CA8CC8,0000000C), ref: 00C18704
GetLastError.KERNEL32(?,00C185CC,?,00CA8CC8,0000000C), ref: 00C1870E
__dosmaperr.LIBCMT ref: 00C18739

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: a7b6dbd6844299bed4f127acb203a8c70cdd94d1ed552aecca4eced110bcd2e2
Instruction ID: ae1eacfb8ba756e1badb303f7f7d7f03f9b069b9078111068396f8b7ad82030b
Opcode Fuzzy Hash: a7b6dbd6844299bed4f127acb203a8c70cdd94d1ed552aecca4eced110bcd2e2
Instruction Fuzzy Hash: F5014932A0D62066D664A334A885BFE67494BC3774F39025EF8389B1E2DEA0CDC5B190

Function 00BF1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00BF17F6

Strings

CALL, xrefs: 00BF17C6

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: fa712e0dd8b4bbe40ae53b8468ed0a27133c756495118def02d1b3f5c93cb6d0
Instruction ID: 50b1732d6e0365a358a9c638740dfc3cb7bdff9769b5d21a75430dd1825eb6bc
Opcode Fuzzy Hash: fa712e0dd8b4bbe40ae53b8468ed0a27133c756495118def02d1b3f5c93cb6d0
Instruction Fuzzy Hash: 9C227970608245EFC714DF18C480A3ABBF1AF95354F248DADF69A8B361D731E949CB92

Function 00BE2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C22C8C

Part of subcall function 00BE3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BE3A97,?,?,00BE2E7F,?,?,?,00000000), ref: 00BE3AC2

Part of subcall function 00BE2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BE2DC4

Strings

X, xrefs: 00C22C5A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: aac4da5f9061142edfab8a0c3f8bea34bacaf8f75bc2bad07060c1ce5a9d228c
Instruction ID: 5676a0b1d74e256cd45db0dd4d607e272d43bbf598afa99172d59626fc61d551
Opcode Fuzzy Hash: aac4da5f9061142edfab8a0c3f8bea34bacaf8f75bc2bad07060c1ce5a9d228c
Instruction Fuzzy Hash: 2321D570A00298AFDF01DF95C849BEE7BFCAF49304F048059E515A7241DBB45A898FA1

Function 00BE3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BE3908

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: dc9060948475392caf0f2bd91b089c883cefaf24f2bf458f30717da4c7adfaa0
Instruction ID: b78ba7e1d720bc75385c58a631e0a3fe83cf3d6177ea229f95ff56198deaf971
Opcode Fuzzy Hash: dc9060948475392caf0f2bd91b089c883cefaf24f2bf458f30717da4c7adfaa0
Instruction Fuzzy Hash: 5F31A2705043419FD720DF25D8997ABBBF8FB49708F04096EFA9A83290E771AA44CB52

Function 00BE4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BE4EDD,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4E9C
Part of subcall function 00BE4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BE4EAE
Part of subcall function 00BE4E90: FreeLibrary.KERNEL32(00000000,?,?,00BE4EDD,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4EFD

Part of subcall function 00BE4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C23CDE,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4E62
Part of subcall function 00BE4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BE4E74
Part of subcall function 00BE4E59: FreeLibrary.KERNEL32(00000000,?,?,00C23CDE,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4E87

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 0ee6bef91fb3060c508d78474c6a4acba794779f4f484153924befc31b508680
Instruction ID: 1d0f69e1fe4c89b9ff552ee3ca3512c0380f825a27434c8bb0ddb4290d695a00
Opcode Fuzzy Hash: 0ee6bef91fb3060c508d78474c6a4acba794779f4f484153924befc31b508680
Instruction Fuzzy Hash: 0D11E332600345AACB24BB66DC42FED77E5AF40B11F20886DF546A61C2EF749A459790

Function 00C18402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C18440

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2c082c948b042b59b2aa9a2000f13cdaad35b430195e820d4d376013a70ccc72
Instruction ID: fb35436efea6fff28b9e5ca110eed4c3ed2d679afb731cca5829b933fd14e962
Opcode Fuzzy Hash: 2c082c948b042b59b2aa9a2000f13cdaad35b430195e820d4d376013a70ccc72
Instruction Fuzzy Hash: 6911487190810AAFCB05DF58E940ADE7BF5EF49300F104059F808AB312DA30DA25DBA4

Function 00C15000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C14C7D: RtlAllocateHeap.NTDLL(00000008,00BE1129,00000000,?,00C12E29,00000001,00000364,?,?,?,00C0F2DE,00C13863,00CB1444,?,00BFFDF5,?), ref: 00C14CBE

_free.LIBCMT ref: 00C1506C

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 14b0be41705ea20163abe889ecb3cd747a43da9050fdcbb616fb3847b51210d7
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 48012B722047049BE3218E5598819DAFBE8FBCA370F25051DE194832C0E630A946D6B4

Function 00C0E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: df9bbdbd990614f5e01e5072d2eff8af9082a073959f8c81a3f16ca58b12996b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 19F0F432510A1896DA313A6AAC05B9A339C9F53335F100B19F421931D2CF719946E6A5

Function 00C14C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00BE1129,00000000,?,00C12E29,00000001,00000364,?,?,?,00C0F2DE,00C13863,00CB1444,?,00BFFDF5,?), ref: 00C14CBE

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 213ba7cbc4c5fdd554fbf1f9972a20f3d3b294debdabf28444f28ab438fd78a9
Instruction ID: 8020acc6da25493ed26eb66e9b1545884957a2dab6b646979d1d186721241738
Opcode Fuzzy Hash: 213ba7cbc4c5fdd554fbf1f9972a20f3d3b294debdabf28444f28ab438fd78a9
Instruction Fuzzy Hash: 40F0E93160222467DB295F7A9C29BDB3788BF537E0B144125BC29A62D0CA30D991B6E0

Function 00C13820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00CB1444,?,00BFFDF5,?,?,00BEA976,00000010,00CB1440,00BE13FC,?,00BE13C6,?,00BE1129), ref: 00C13852

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 13acefb5307cad99c59863e5d35f9fe28083ef7ef5948c595af1fb9e9df07650
Instruction ID: 93c7a6a62f0beccc0c0b603c59dbdaac3be309d78eedbbcb543570e9979f81bd
Opcode Fuzzy Hash: 13acefb5307cad99c59863e5d35f9fe28083ef7ef5948c595af1fb9e9df07650
Instruction Fuzzy Hash: BCE0E5311002A596F73127779C04BDB3748AB437B8F054126BD28968D0DB10DF81B1F0

Function 00BE4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4F6D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 47bc6fc5ba4a3a6b2d00896a66718221658e7b4669c0c68ffddc8ee51d0cccd2
Instruction ID: e7239d9a1081e7ab70f7a6ce0ca6249139f80420495405a8ecb96d425d29901f
Opcode Fuzzy Hash: 47bc6fc5ba4a3a6b2d00896a66718221658e7b4669c0c68ffddc8ee51d0cccd2
Instruction Fuzzy Hash: 38F01C71105792CFDB349F66D494916BBE4EF1471931089BEE1DE82511C7359C44DB90

Function 00BE30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BE314E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ce663518d8facb270059a901a4078065a9e34b58f54e6baa277ae7850f1b85e1
Instruction ID: 290a8c7e43104af4399855607d11a959a97b9cefa29089a1b6bb656369d8b34c
Opcode Fuzzy Hash: ce663518d8facb270059a901a4078065a9e34b58f54e6baa277ae7850f1b85e1
Instruction Fuzzy Hash: 56F037709143549FE7529B24DC4A7D97BFCA701708F1401E9A64897191E7745788CF51

Function 00BE2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BE2DC4

Part of subcall function 00BE6B57: _wcslen.LIBCMT ref: 00BE6B6A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 2afa22851543c2e744b5628ac5f8e661f336be56f495d71c758b502ac675aa1f
Instruction ID: f27cbf9d005855e0b82467eab7af315f4d95ed2036b006513c4063fbc74b241e
Opcode Fuzzy Hash: 2afa22851543c2e744b5628ac5f8e661f336be56f495d71c758b502ac675aa1f
Instruction Fuzzy Hash: 5CE0CD726001245BC710D6989C06FDA77DDDFC87D0F0400B5FD09D7258DA60ADC08550

Function 00BE2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BE3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BE3908

Part of subcall function 00BED730: GetInputState.USER32 ref: 00BED807

SetCurrentDirectoryW.KERNEL32(?), ref: 00BE2B6B

Part of subcall function 00BE30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BE314E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 09be2a5bc91738bfb40a396b620b6501583fa5eb2765504a8af81ea6a812a98e
Instruction ID: 91d25e3f3649e3d93c5d019b638105e5f16142c6db8e9df5229aa42a235c4f6a
Opcode Fuzzy Hash: 09be2a5bc91738bfb40a396b620b6501583fa5eb2765504a8af81ea6a812a98e
Instruction Fuzzy Hash: BAE026213002C407CB04BB32A86A6ADB3C98BD1751F8009BEF14243163CF2149894311

Function 00C2039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C20704,?,?,00000000,?,00C20704,00000000,0000000C), ref: 00C203B7

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8300e53e612b69c89513623bd6c810cc65c3484a55dc1f406292d4614088ba34
Instruction ID: 7542d89a31d85abe2e91900ef203b88eda21c91e21f8c11b0be5175b67a4ba4f
Opcode Fuzzy Hash: 8300e53e612b69c89513623bd6c810cc65c3484a55dc1f406292d4614088ba34
Instruction Fuzzy Hash: 2ED06C3204010DBBDF028F84DD46EDE3BAAFB48714F014050BE1856020C732E861AB90

Function 00BE1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00BE1CBC

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7ddc16c500c3ccf158fbbf024b50df97373d168c31dfece912c821813b4f2bad
Instruction ID: 7da9a6e0d591f53b1bd04ecf708d212e14e5e181c4e9acda415510150e626028
Opcode Fuzzy Hash: 7ddc16c500c3ccf158fbbf024b50df97373d168c31dfece912c821813b4f2bad
Instruction Fuzzy Hash: 75C09236280305AFF3248B80BC9AF2877A4A348B00F488101FA0DA95F3D3A22860FB50

Non-executed Functions

Function 00C79576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BF9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C7961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C7965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C7969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C796C9
SendMessageW.USER32 ref: 00C796F2
GetKeyState.USER32(00000011), ref: 00C7978B
GetKeyState.USER32(00000009), ref: 00C79798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C797AE
GetKeyState.USER32(00000010), ref: 00C797B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C797E9
SendMessageW.USER32 ref: 00C79810
SendMessageW.USER32(?,00001030,?,00C77E95), ref: 00C79918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C7992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C79941
SetCapture.USER32(?), ref: 00C7994A
ClientToScreen.USER32(?,?), ref: 00C799AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C799BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C799D6
ReleaseCapture.USER32 ref: 00C799E1
GetCursorPos.USER32(?), ref: 00C79A19
ScreenToClient.USER32(?,?), ref: 00C79A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C79A80
SendMessageW.USER32 ref: 00C79AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C79AEB
SendMessageW.USER32 ref: 00C79B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C79B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C79B4A
GetCursorPos.USER32(?), ref: 00C79B68
ScreenToClient.USER32(?,?), ref: 00C79B75
GetParent.USER32(?), ref: 00C79B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C79BFA
SendMessageW.USER32 ref: 00C79C2B
ClientToScreen.USER32(?,?), ref: 00C79C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C79CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C79CDE
SendMessageW.USER32 ref: 00C79D01
ClientToScreen.USER32(?,?), ref: 00C79D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C79D82

Part of subcall function 00BF9944: GetWindowLongW.USER32(?,000000EB), ref: 00BF9952

GetWindowLongW.USER32(?,000000F0), ref: 00C79E05

Strings

F, xrefs: 00C79D07
@GUI_DRAGID, xrefs: 00C7997D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 4d34751e87b3484a4aa8156e54b0c7191c33e079154214ce24f63d4365bae5d4
Instruction ID: c094e2197551288da6fb69309137e5859f84e3475d6296878b4f096e7f0aded4
Opcode Fuzzy Hash: 4d34751e87b3484a4aa8156e54b0c7191c33e079154214ce24f63d4365bae5d4
Instruction Fuzzy Hash: AA428B74604641AFDB24CF28CC84BAABBF5FF49360F14861DFAAD872A1D731A950CB51

Function 00C74873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C748F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C74908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C74927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C7494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C7495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C7497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C749AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C749D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C74A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C74A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C74A7E
IsMenu.USER32(?), ref: 00C74A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C74AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C74B20
GetWindowLongW.USER32(?,000000F0), ref: 00C74B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C74BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C74C82
wsprintfW.USER32 ref: 00C74CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C74CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00C74CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C74D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C74D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00C74D5A

Strings

%d/%02d/%02d, xrefs: 00C74CA8

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 2fd6a3ea44034109fff65faa8765d0c444853a6dedd4277eca853d98cffb5820
Instruction ID: 611ea1e60d451e6ee38b277d68c079b6b1418dec8f03e3d9a1c4de9546f94222
Opcode Fuzzy Hash: 2fd6a3ea44034109fff65faa8765d0c444853a6dedd4277eca853d98cffb5820
Instruction Fuzzy Hash: 2C12D071600219ABEB298F69CC89FBE7BF8EF45710F108169F52ADB1E1D7749A40CB50

Function 00BFF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00BFF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C3F474
IsIconic.USER32(00000000), ref: 00C3F47D
ShowWindow.USER32(00000000,00000009), ref: 00C3F48A
SetForegroundWindow.USER32(00000000), ref: 00C3F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C3F4AA
GetCurrentThreadId.KERNEL32 ref: 00C3F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C3F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C3F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C3F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C3F4DE
SetForegroundWindow.USER32(00000000), ref: 00C3F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3F4F6
keybd_event.USER32(00000012,00000000), ref: 00C3F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3F50B
keybd_event.USER32(00000012,00000000), ref: 00C3F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3F519
keybd_event.USER32(00000012,00000000), ref: 00C3F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3F528
keybd_event.USER32(00000012,00000000), ref: 00C3F52D
SetForegroundWindow.USER32(00000000), ref: 00C3F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C3F557

Strings

Shell_TrayWnd, xrefs: 00C3F46F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c666e778a43b9562c983e5ddd71e4d884e46fd90e6600bf9df96a696fca9b940
Instruction ID: 423c5959e3d92d88c80796138b8d7770929d945398852b3c071c7d340d08ee12
Opcode Fuzzy Hash: c666e778a43b9562c983e5ddd71e4d884e46fd90e6600bf9df96a696fca9b940
Instruction Fuzzy Hash: F0317271E50219BBEB206BB55C8AFBF7E6CEB44B50F10046DFA04EA1D1C6B15D41AA60

Function 00C41201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C4170D
Part of subcall function 00C416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C4173A
Part of subcall function 00C416C3: GetLastError.KERNEL32 ref: 00C4174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C41286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C412A8
CloseHandle.KERNEL32(?), ref: 00C412B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C412D1
GetProcessWindowStation.USER32 ref: 00C412EA
SetProcessWindowStation.USER32(00000000), ref: 00C412F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C41310

Part of subcall function 00C410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C411FC), ref: 00C410D4
Part of subcall function 00C410BF: CloseHandle.KERNEL32(?,?,00C411FC), ref: 00C410E9

Strings

winsta0, xrefs: 00C412CC
, xrefs: 00C4125A
default, xrefs: 00C4130B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 9d6a349fdc836fd7fbd5f3fcff2b80a3da89ecad82087980e7ad070c667aa8ba
Instruction ID: ab8f00d7f5c84fdbd7d3b1dad98f3f7c26df85aaba0e26410201481b0f891ffb
Opcode Fuzzy Hash: 9d6a349fdc836fd7fbd5f3fcff2b80a3da89ecad82087980e7ad070c667aa8ba
Instruction Fuzzy Hash: 95818C71900209AFDF219FA4DC89FEE7BB9FF04704F184129FE64A61A0D7749A84CB60

Function 00C40B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C41114
Part of subcall function 00C410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C40B9B,?,?,?), ref: 00C41120
Part of subcall function 00C410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C40B9B,?,?,?), ref: 00C4112F
Part of subcall function 00C410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C40B9B,?,?,?), ref: 00C41136
Part of subcall function 00C410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C4114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C40BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C40C00
GetLengthSid.ADVAPI32(?), ref: 00C40C17
GetAce.ADVAPI32(?,00000000,?), ref: 00C40C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C40C6D
GetLengthSid.ADVAPI32(?), ref: 00C40C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C40C8C
HeapAlloc.KERNEL32(00000000), ref: 00C40C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C40CB4
CopySid.ADVAPI32(00000000), ref: 00C40CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C40CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C40D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C40D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C40D45
HeapFree.KERNEL32(00000000), ref: 00C40D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C40D55
HeapFree.KERNEL32(00000000), ref: 00C40D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C40D65
HeapFree.KERNEL32(00000000), ref: 00C40D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C40D78
HeapFree.KERNEL32(00000000), ref: 00C40D7F

Part of subcall function 00C41193: GetProcessHeap.KERNEL32(00000008,00C40BB1,?,00000000,?,00C40BB1,?), ref: 00C411A1
Part of subcall function 00C41193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C40BB1,?), ref: 00C411A8
Part of subcall function 00C41193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C40BB1,?), ref: 00C411B7

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0d0025cd1e01c2573cc122a6020e0b5d07d03e30b84d7f7a230efcd3a52c989e
Instruction ID: 2d8e1980813b57ad8b3380462653f9bf09df90dedb498589d44eb531c9a1ed5a
Opcode Fuzzy Hash: 0d0025cd1e01c2573cc122a6020e0b5d07d03e30b84d7f7a230efcd3a52c989e
Instruction Fuzzy Hash: 9C714F7294020AABDF10DFE4DC84FAEBBB8BF44310F144529EA19A6191D775AA45CBA0

Function 00C5EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C7CC08), ref: 00C5EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C5EB37
GetClipboardData.USER32(0000000D), ref: 00C5EB43
CloseClipboard.USER32 ref: 00C5EB4F
GlobalLock.KERNEL32(00000000), ref: 00C5EB87
CloseClipboard.USER32 ref: 00C5EB91
GlobalUnlock.KERNEL32(00000000), ref: 00C5EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00C5EBC9
GetClipboardData.USER32(00000001), ref: 00C5EBD1
GlobalLock.KERNEL32(00000000), ref: 00C5EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00C5EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00C5EC38
GetClipboardData.USER32(0000000F), ref: 00C5EC44
GlobalLock.KERNEL32(00000000), ref: 00C5EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C5EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C5EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C5ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00C5ECF3
CountClipboardFormats.USER32 ref: 00C5ED14
CloseClipboard.USER32 ref: 00C5ED59

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8dba75339432f137f7412765b71866ffef8d415a721d3eb46b0213a8a2a3289c
Instruction ID: bc3fa917f66220126f325e0477e7e8f993e9acce1e9ed00b15d0016f131eff7b
Opcode Fuzzy Hash: 8dba75339432f137f7412765b71866ffef8d415a721d3eb46b0213a8a2a3289c
Instruction Fuzzy Hash: AF61D1382042429FD314EF25C889F2E77E8EF84745F14455DF85A972A2CB31DE89CBA6

Function 00C5698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C569BE
FindClose.KERNEL32(00000000), ref: 00C56A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C56A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C56A75

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00C56AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C56ADF

Strings

%03d, xrefs: 00C56DA2
%4d, xrefs: 00C56BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00C56B32
%4d%02d%02d%02d%02d%02d, xrefs: 00C56B6A
%02d, xrefs: 00C56C00, 00C56C0A, 00C56C5A, 00C56CAA, 00C56CFA, 00C56D4A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9b04db9a04b7a8c229c3fac5d34ec0693e96fcf2bf81bc692a2bac0f5d637da2
Instruction ID: dd62d2db4785a420271f9e28ad3dea6c5c65c8131e5288fabfe2f921127e37e0
Opcode Fuzzy Hash: 9b04db9a04b7a8c229c3fac5d34ec0693e96fcf2bf81bc692a2bac0f5d637da2
Instruction Fuzzy Hash: 91D16271508340AFC310EB65C881EAFB7ECAF98704F44495DF999C7192EB74DA49C762

Function 00C59642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C59663
GetFileAttributesW.KERNEL32(?), ref: 00C596A1
SetFileAttributesW.KERNEL32(?,?), ref: 00C596BB
FindNextFileW.KERNEL32(00000000,?), ref: 00C596D3
FindClose.KERNEL32(00000000), ref: 00C596DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00C596FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C5974A
SetCurrentDirectoryW.KERNEL32(00CA6B7C), ref: 00C59768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C59772
FindClose.KERNEL32(00000000), ref: 00C5977F
FindClose.KERNEL32(00000000), ref: 00C5978F

Strings

*.*, xrefs: 00C596F5

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: df35ae86bbdb47210607518c695244c908cdadc000cc33c507250d025f2fbfe2
Instruction ID: c36cd4a84e3e8be2a13a768f203b79367da11874fab13338d56e3ef8e4b9ab4d
Opcode Fuzzy Hash: df35ae86bbdb47210607518c695244c908cdadc000cc33c507250d025f2fbfe2
Instruction Fuzzy Hash: F231A73554161AAFDB149FB4DC49BDE77ACDF09361F1441A6F819E20A0DB34DAC88E14

Function 00C5979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C597BE
FindNextFileW.KERNEL32(00000000,?), ref: 00C59819
FindClose.KERNEL32(00000000), ref: 00C59824
FindFirstFileW.KERNEL32(*.*,?), ref: 00C59840
SetCurrentDirectoryW.KERNEL32(?), ref: 00C59890
SetCurrentDirectoryW.KERNEL32(00CA6B7C), ref: 00C598AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C598B8
FindClose.KERNEL32(00000000), ref: 00C598C5
FindClose.KERNEL32(00000000), ref: 00C598D5

Part of subcall function 00C4DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C4DB00

Strings

*.*, xrefs: 00C5983B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 8ada48ab97a7194165d50efa6846d43f5eabbda64875f6b7f7cd3131a03b6230
Instruction ID: 400ee5f98c56b3db60d49cd125a28480823ab040467bd287155a294dd9c480c1
Opcode Fuzzy Hash: 8ada48ab97a7194165d50efa6846d43f5eabbda64875f6b7f7cd3131a03b6230
Instruction Fuzzy Hash: C731C73550121AABDB14AFB4EC48BDE77ACDF06325F1441A5E824A21E1DB30DAC8DB24

Function 00C6BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C6C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C6B6AE,?,?), ref: 00C6C9B5
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6C9F1
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6CA68
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C6BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00C6BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00C6BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C6C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C6C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C6C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C6C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00C6C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C6C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C6C382
RegCloseKey.ADVAPI32(00000000), ref: 00C6C38F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: b56310f1b5d2126138ca574b6e54bcf6171893b8ef3ed265394dd51efc23d270
Instruction ID: dae0c5571f14e571d3f5d45cb71dc582a8ce79c8a133f1a096799c4ff71bc3e0
Opcode Fuzzy Hash: b56310f1b5d2126138ca574b6e54bcf6171893b8ef3ed265394dd51efc23d270
Instruction Fuzzy Hash: 01023C716042409FC724DF29C8D5E2ABBE5EF49304F1884ADF89ACB2A2DB31ED45CB51

Function 00C58195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C58257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C58267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C58273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C58310
SetCurrentDirectoryW.KERNEL32(?), ref: 00C58324
SetCurrentDirectoryW.KERNEL32(?), ref: 00C58356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C5838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00C58395

Strings

*.*, xrefs: 00C5839B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 3ffdbc6a5d9fb50dec2791771befddae0c98685b67c86848390386009e0320e4
Instruction ID: 8d6e54ef769226442ad078330e45ce7339cd39e12f76d45211573b6d1ea31a17
Opcode Fuzzy Hash: 3ffdbc6a5d9fb50dec2791771befddae0c98685b67c86848390386009e0320e4
Instruction Fuzzy Hash: 2D617C755043459FC710EF60C880AAFB3E8FF89314F04895DF99997261DB31EA89CB96

Function 00C4D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BE3A97,?,?,00BE2E7F,?,?,?,00000000), ref: 00BE3AC2

Part of subcall function 00C4E199: GetFileAttributesW.KERNEL32(?,00C4CF95), ref: 00C4E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C4D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C4D1DD
MoveFileW.KERNEL32(?,?), ref: 00C4D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C4D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C4D237

Part of subcall function 00C4D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C4D21C,?,?), ref: 00C4D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00C4D253
FindClose.KERNEL32(00000000), ref: 00C4D264

Strings

\*.*, xrefs: 00C4D0CD, 00C4D0D6, 00C4D0EB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 0749821f25df218192f7bde64746816b09c90859c114ae383062138e318d2740
Instruction ID: 35041fccde6ce421b79c70feae81da7a9d40947b5e843c80332e229ef8844ace
Opcode Fuzzy Hash: 0749821f25df218192f7bde64746816b09c90859c114ae383062138e318d2740
Instruction Fuzzy Hash: 19618D3180114DABCF15FBE1CA92AEDB7B9BF55300F2440A9E412771A2EB306F49DB60

Function 00C5ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C5ED91
EmptyClipboard.USER32 ref: 00C5ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00C5EDAC
CloseClipboard.USER32 ref: 00C5EEA3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 37ce90ad9d2bdb91a4c04b0ac7df19a587c46ead4631348dc3de22279f03d7d6
Instruction ID: e5b7d8a483c8cf10ab64fc5efdc02cccb5bac41c692a9fa862d2cfb2a8504e4e
Opcode Fuzzy Hash: 37ce90ad9d2bdb91a4c04b0ac7df19a587c46ead4631348dc3de22279f03d7d6
Instruction Fuzzy Hash: A941D039204612AFD724DF15D889F19BBE5FF44319F14C09DE8298B6A2C771EE86CB90

Function 00C4E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C4170D
Part of subcall function 00C416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C4173A
Part of subcall function 00C416C3: GetLastError.KERNEL32 ref: 00C4174A

ExitWindowsEx.USER32(?,00000000), ref: 00C4E932

Strings

, xrefs: 00C4E920
SeShutdownPrivilege, xrefs: 00C4E902
@, xrefs: 00C4E925
, xrefs: 00C4E95C

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d26adf9960e9dc706fe08a3ef2789ba9ecf7a17fd941b9df117a80ab898e2140
Instruction ID: 38b8cf0c82b076962a2ca6650b0917db393b5680d06e834ddd53d6bb13e31d6b
Opcode Fuzzy Hash: d26adf9960e9dc706fe08a3ef2789ba9ecf7a17fd941b9df117a80ab898e2140
Instruction Fuzzy Hash: 5101F973610211ABEB6426B59CC6FFF729CB724750F1A4825FC53E21E2D6A15D809290

Function 00C61204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C61276
WSAGetLastError.WSOCK32 ref: 00C61283
bind.WSOCK32(00000000,?,00000010), ref: 00C612BA
WSAGetLastError.WSOCK32 ref: 00C612C5
closesocket.WSOCK32(00000000), ref: 00C612F4
listen.WSOCK32(00000000,00000005), ref: 00C61303
WSAGetLastError.WSOCK32 ref: 00C6130D
closesocket.WSOCK32(00000000), ref: 00C6133C

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: bc54bcfd2718ed80a7cfb839d9bda8200acdae8fa5381c9b2e8bc790cc382fad
Instruction ID: 7ebc39fefe9c27f0c585f2ece6ed6ab2a86169ca8ad0d20db26b0df16117edb0
Opcode Fuzzy Hash: bc54bcfd2718ed80a7cfb839d9bda8200acdae8fa5381c9b2e8bc790cc382fad
Instruction Fuzzy Hash: 90417F316001419FD720DF25C4D4B2ABBE5AF46319F1C819CD86A8F2E6C771ED85CBA1

Function 00C4D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BE3A97,?,?,00BE2E7F,?,?,?,00000000), ref: 00BE3AC2

Part of subcall function 00C4E199: GetFileAttributesW.KERNEL32(?,00C4CF95), ref: 00C4E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C4D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C4D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C4D481
FindClose.KERNEL32(00000000), ref: 00C4D498
FindClose.KERNEL32(00000000), ref: 00C4D4A1

Strings

\*.*, xrefs: 00C4D3F2

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ecf4564c29d782b7aa75ed02f6511046efd8f8e058ebecf0ca14baf31fc89d1b
Instruction ID: 4c225f0237e6a9a4cdcb01667f649a3b1348ef068773a63537dedb18019dba9d
Opcode Fuzzy Hash: ecf4564c29d782b7aa75ed02f6511046efd8f8e058ebecf0ca14baf31fc89d1b
Instruction Fuzzy Hash: F6318E310083819BC310FF65C8959AFB7E8BE91304F445E5DF4E6931A2EB30AA49CB63

Function 00C1E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C1E645

Strings

1#INF, xrefs: 00C1F852
1#SNAN, xrefs: 00C1F844
1#IND, xrefs: 00C1F83D
1#QNAN, xrefs: 00C1F84B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4830d20b1874a31596b2d3b88426c23b353e25453dc7bf13ae879a7d7f388d35
Instruction ID: f6f0f177893eac4d05b85cc4451ec973729507e038658373a53ffa1af014f8ca
Opcode Fuzzy Hash: 4830d20b1874a31596b2d3b88426c23b353e25453dc7bf13ae879a7d7f388d35
Instruction Fuzzy Hash: E6C23B71E086298FDB25CE28DD447E9B7B5EB4A304F1441EAD85DE7280E774AEC29F40

Function 00C5648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C564DC
CoInitialize.OLE32(00000000), ref: 00C56639
CoCreateInstance.OLE32(00C7FCF8,00000000,00000001,00C7FB68,?), ref: 00C56650
CoUninitialize.OLE32 ref: 00C568D4

Strings

.lnk, xrefs: 00C564BA, 00C56524, 00C565E0

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1b843e6981e1bfbc67093d6860f9dddfbbae8abf9703823ae36608578bee8eda
Instruction ID: e717425afb6dc5407cb7f0c6983c34e178d1389187b1f59da4650a2ae9a6580d
Opcode Fuzzy Hash: 1b843e6981e1bfbc67093d6860f9dddfbbae8abf9703823ae36608578bee8eda
Instruction Fuzzy Hash: F0D15A71508341AFC314EF25C881A6BB7E9FF94704F50496DF5958B2A1EB30EE4ACB92

Function 00C622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00C622E8

Part of subcall function 00C5E4EC: GetWindowRect.USER32(?,?), ref: 00C5E504

GetDesktopWindow.USER32 ref: 00C62312
GetWindowRect.USER32(00000000), ref: 00C62319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C62355
GetCursorPos.USER32(?), ref: 00C62381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C623DF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9827662ca1adc069d1d6cdaa66a8a54be7f8b8ddd47438e78b0c3e2c77ad179a
Instruction ID: 866d12901bfb8358552594a056430153365c5a320079e9f5f63e589b389b3804
Opcode Fuzzy Hash: 9827662ca1adc069d1d6cdaa66a8a54be7f8b8ddd47438e78b0c3e2c77ad179a
Instruction Fuzzy Hash: 6231CD72505716ABC720DF54D889B9FBBADFF84310F00092DF99997291DB34EA48CB92

Function 00C59B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C59B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C59C8B

Part of subcall function 00C53874: GetInputState.USER32 ref: 00C538CB
Part of subcall function 00C53874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C53966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C59BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C59C75

Strings

*.*, xrefs: 00C59B5D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 44b7ca8c0d501839487024d211e382e361efd556200eb6576bee94f2c4da650d
Instruction ID: 8a8a1e3e5152a77a3a0b30d1a769b9e2643824ecfcae4727adc58c92bffc037a
Opcode Fuzzy Hash: 44b7ca8c0d501839487024d211e382e361efd556200eb6576bee94f2c4da650d
Instruction Fuzzy Hash: 2A41507590424ADFDF14DF64C889AEEBBF8EF05311F244199E815A2191EB30AF88CF64

Function 00BF997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00BF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BF9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00BF9A4E
GetSysColor.USER32(0000000F), ref: 00BF9B23
SetBkColor.GDI32(?,00000000), ref: 00BF9B36

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 90b4d1477d65da775a7b8dd47279a3e9b815fe336676ab3a005b4d4682b82b74
Instruction ID: d1efc213f57165ffa63cbb4774c805a6f4e94a7fa526e7d020c9d8fb29e8ac18
Opcode Fuzzy Hash: 90b4d1477d65da775a7b8dd47279a3e9b815fe336676ab3a005b4d4682b82b74
Instruction Fuzzy Hash: F1A12BB0118448BEE739AA3D8CD9F7F26DDDB82340F15434AF722D7592CA259E09D271

Function 00C61806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C6304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C6307A
Part of subcall function 00C6304E: _wcslen.LIBCMT ref: 00C6309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C6185D
WSAGetLastError.WSOCK32 ref: 00C61884
bind.WSOCK32(00000000,?,00000010), ref: 00C618DB
WSAGetLastError.WSOCK32 ref: 00C618E6
closesocket.WSOCK32(00000000), ref: 00C61915

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6026855a3c62744b31d8bbe73eb2c05ca78332f59fd597c15229b6e467f55ed1
Instruction ID: 3e657ca7206ec9d5ac160557f69c3975ffaffb3d1a86df79a22d89dba427866d
Opcode Fuzzy Hash: 6026855a3c62744b31d8bbe73eb2c05ca78332f59fd597c15229b6e467f55ed1
Instruction Fuzzy Hash: 10519371A002109FD720AF25C8C6F6A77E5AF48718F18849CF9199F3D3D771AD418BA1

Function 00C71C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C71CC0
IsWindowEnabled.USER32 ref: 00C71CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00C71CDB
IsIconic.USER32 ref: 00C71CE9
IsZoomed.USER32 ref: 00C71CF7

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6b781e17f52a1602fd329199e6d8382979dca0cc3bfb89e39f517596c9bf2d96
Instruction ID: ec7cab6e00de3e406713f86682589f95553a75098078eaf6fbdeec74511d7da1
Opcode Fuzzy Hash: 6b781e17f52a1602fd329199e6d8382979dca0cc3bfb89e39f517596c9bf2d96
Instruction Fuzzy Hash: 3621BF317402115FD7228F6EC884B2A7BE5EF95324B1DC06CE85E8B251CB71EE42CB90

Function 00BE8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00BE843C
VUUU, xrefs: 00BE83FA
ERCP, xrefs: 00BE813C
VUUU, xrefs: 00C25DF0
VUUU, xrefs: 00BE83E8

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d99cc5cb024f5112ea64940133d4f573404b556d62fef46839e90823c082084d
Instruction ID: 15a08707881ab4706395176d46b9800076b59bcbbf276a66ef03286b77c51292
Opcode Fuzzy Hash: d99cc5cb024f5112ea64940133d4f573404b556d62fef46839e90823c082084d
Instruction Fuzzy Hash: 29A28170E0066ACBDF24CF59D9807AEB7F1FF54310F2481A9D829A7684DB749E81DB50

Function 00C4AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C4AAAC
SetKeyboardState.USER32(00000080), ref: 00C4AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C4AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C4AB88

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cb26ca37a65bf1fe1bb1664bd3e82fd5feae4b73dd12ba56489d1294e6a7322c
Instruction ID: 9735b9ea4545f1014da6323043176547aad9d8e44c5fb16585089d195eab4ff1
Opcode Fuzzy Hash: cb26ca37a65bf1fe1bb1664bd3e82fd5feae4b73dd12ba56489d1294e6a7322c
Instruction Fuzzy Hash: 8D311470AC0218AFFB35CA658C45BFA7BA6FB44320F04421AF5A5961D0D3758A81D762

Function 00C1BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C1BB7F

Part of subcall function 00C129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000), ref: 00C129DE
Part of subcall function 00C129C8: GetLastError.KERNEL32(00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000,00000000), ref: 00C129F0

GetTimeZoneInformation.KERNEL32 ref: 00C1BB91
WideCharToMultiByte.KERNEL32(00000000,?,00CB121C,000000FF,?,0000003F,?,?), ref: 00C1BC09
WideCharToMultiByte.KERNEL32(00000000,?,00CB1270,000000FF,?,0000003F,?,?,?,00CB121C,000000FF,?,0000003F,?,?), ref: 00C1BC36

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 5a7a3385341548b484e9885ed18aee95c0d011480964d07f240281ea7ec25425
Instruction ID: f80f92982b6739f41fc541a223466c2838d8afa68a9465574f6cabd9ec3a9b91
Opcode Fuzzy Hash: 5a7a3385341548b484e9885ed18aee95c0d011480964d07f240281ea7ec25425
Instruction Fuzzy Hash: C431D471904205DFCB10DF69CC906ADBBB8FF46310B5842AAE424D72B1D7309E90EF91

Function 00C5CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00C5CE89
GetLastError.KERNEL32(?,00000000), ref: 00C5CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00C5CEFE

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 76f05929411fd134cc3a2a2c40514516b02354cab87c19518f9fdd139b934362
Instruction ID: 4bde1e45fbb0e4f84cd895b211c274fd26540c6e1e868d8936b314c1491bb41a
Opcode Fuzzy Hash: 76f05929411fd134cc3a2a2c40514516b02354cab87c19518f9fdd139b934362
Instruction Fuzzy Hash: A121C1755003059FD720CFA5C98ABAB77FCEB10315F10441EE956E2151E7B0EE88DB58

Function 00C48298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C482AA

Strings

|, xrefs: 00C482DA
(, xrefs: 00C482F0

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: a25428378bf1290aae56eaba0a25e2780ee26a4e4a90cf3e724f7fd42e19b7ad
Instruction ID: 4231feacaf76b8b0bef5ade7c5575991aff5d0c480a415cfea98bdcd6162ff7c
Opcode Fuzzy Hash: a25428378bf1290aae56eaba0a25e2780ee26a4e4a90cf3e724f7fd42e19b7ad
Instruction Fuzzy Hash: DF322675A007059FCB28CF59C481A6AB7F0FF48710B15C56EE5AADB3A1EB70E981CB44

Function 00C55C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C55CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00C55D17
FindClose.KERNEL32(?), ref: 00C55D5F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f36bb8467ff2f81c322cdba14331600ea92468044c04afc683d81d5b329b238c
Instruction ID: cb36c4d7149bad818d4fbce29a9f0095553d9a0b6551014b363b7af39a851ce8
Opcode Fuzzy Hash: f36bb8467ff2f81c322cdba14331600ea92468044c04afc683d81d5b329b238c
Instruction Fuzzy Hash: 20517A79604A019FC714CF28C4A4A9AB7F4FF49314F14855DE96A8B3A2CB30FD89CB91

Function 00C12622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C1271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C12724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C12731

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fb2f159f6d24f5f5e2070d1bf5cc67eb2e4f521a9af5f9f7b2f8580475b050b1
Instruction ID: bda8a3f995f435fcc19760aa57915696dc02d8b0b919bf271a8d8ea19f6c276f
Opcode Fuzzy Hash: fb2f159f6d24f5f5e2070d1bf5cc67eb2e4f521a9af5f9f7b2f8580475b050b1
Instruction Fuzzy Hash: 4531B5749112189BCB21DF68DC897DDB7B8AF08310F5041EAE41CA72A1E7349F819F45

Function 00C551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C551DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C55238
SetErrorMode.KERNEL32(00000000), ref: 00C552A1

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e2393effa97cd45215e9076a405c9fb11776698d8d1179abae87a872ee76aea8
Instruction ID: 58b1886ec838b2998168203746dadc0a48fae197e999ed732a47c469c07ea65b
Opcode Fuzzy Hash: e2393effa97cd45215e9076a405c9fb11776698d8d1179abae87a872ee76aea8
Instruction Fuzzy Hash: 2D314B75A005199FDB00DF55D894FADBBF4FF49314F048099E809AB3A2DB31E99ACB90

Function 00C416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BFFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C00668
Part of subcall function 00BFFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C00685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C4170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C4173A
GetLastError.KERNEL32 ref: 00C4174A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 87c0671e711cfdc0e0faaa0ef5209f8dd39bc665fcf4c70be369975d658d300f
Instruction ID: 04c8af72c0321d611505cc97ebe6d9684dba67c5d012b11f5faa6a70c89410f1
Opcode Fuzzy Hash: 87c0671e711cfdc0e0faaa0ef5209f8dd39bc665fcf4c70be369975d658d300f
Instruction Fuzzy Hash: 6E11BFB2400209AFD7189F54DCC6E7EB7F9FF04714B24852EE49653251EB70BC818A60

Function 00C4D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C4D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C4D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C4D650

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b45f01209babf6b3cc3a39109c2d47f2130bde8257a37cb83b55c4449ffb1880
Instruction ID: 1e4370cdd3984fc2f406d067df030999b9904ee73ef99fc3ce7bad1fbc4c25d7
Opcode Fuzzy Hash: b45f01209babf6b3cc3a39109c2d47f2130bde8257a37cb83b55c4449ffb1880
Instruction Fuzzy Hash: C1118E71E01228BFDB108F99DC85FEFBBBCEB45B60F108125F918E7290C2704A018BA1

Function 00C41663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C4168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C416A1
FreeSid.ADVAPI32(?), ref: 00C416B1

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f76c3a407e2bbf6c4e50e861cec537a27e4d84e857420cd12f0e03fcf6a29d34
Instruction ID: 8f6346bb8eacea4fe0caf236c39dc05e5dd5d2bd88b0bb6faada45172f5a0ebf
Opcode Fuzzy Hash: f76c3a407e2bbf6c4e50e861cec537a27e4d84e857420cd12f0e03fcf6a29d34
Instruction Fuzzy Hash: E5F0F471950309FBDB00DFE4DC89EAEBBBCFB08604F504565E901E2181E774AA848BA0

Function 00C3D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C3D28C

Strings

X64, xrefs: 00C3D2A8

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 4e24794bf645d0f1d5ca4cd83400f2719caf8091cc32141875f34f680227607a
Instruction ID: 991cf90f7ead468b09ea7e14a26ee29f73ed1c931bc209de020e7ea08f324eeb
Opcode Fuzzy Hash: 4e24794bf645d0f1d5ca4cd83400f2719caf8091cc32141875f34f680227607a
Instruction Fuzzy Hash: 15D0C9B481111DEACF90CBA0ECC8EDEB7BCBB04305F100195F506A2000DB3095488F10

Function 00C0CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: edeff0d68a9f2f7b9864ece8539eb9dada001a3a8827fc7cd4d897b56893594c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 4B020C71E002199BDF14CFA9D8C06ADFBF5EF48314F25826AD929E7384D731AA41CB94

Function 00C568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C56918
FindClose.KERNEL32(00000000), ref: 00C56961

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3292ac4b70f0ed5c9843c6f61be9147e65189c819b8600688c1f36968020d133
Instruction ID: 649263030775894b4195484c4a72980ac425e630a67656ba5373dda789524aec
Opcode Fuzzy Hash: 3292ac4b70f0ed5c9843c6f61be9147e65189c819b8600688c1f36968020d133
Instruction Fuzzy Hash: CC11D3356042019FC710CF2AD484A16BBE0FF84329F44C69DE8698F3A2CB30EC49CB91

Function 00C537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C64891,?,?,00000035,?), ref: 00C537E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C64891,?,?,00000035,?), ref: 00C537F4

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 63e2cddf4906f48706de56ee0e1355138cfa041878c31f68ae5e25761c518b4a
Instruction ID: dce6b63b70f57bc3974d5847042408846eaff7032ae22236de096763762c471c
Opcode Fuzzy Hash: 63e2cddf4906f48706de56ee0e1355138cfa041878c31f68ae5e25761c518b4a
Instruction Fuzzy Hash: B5F0EC746042256AE71057765D8DFDB369DDFC47A1F000165F919D22D1D9605984C7B0

Function 00C4B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C4B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00C4B270

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: b0a5463e4cd15af27267ae057936dd7e59020e7d01a8eb57cbc0338eb4941d5a
Instruction ID: 181373e455960b7d2876569c2110cd782bcfcbc593fb95bc3b4fd1e07ac38471
Opcode Fuzzy Hash: b0a5463e4cd15af27267ae057936dd7e59020e7d01a8eb57cbc0338eb4941d5a
Instruction Fuzzy Hash: 1FF01D7180424EABDB159FA1C805BAE7BB4FF04305F008009F965A5192D779C6519F94

Function 00C410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C411FC), ref: 00C410D4
CloseHandle.KERNEL32(?,?,00C411FC), ref: 00C410E9

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7fef7b694fc0365200b6f169806b3f9b97013f915ba99a609be634dbc16a6a0f
Instruction ID: 10590a129cb3f05744931d88d8fc10588f7e89ab81604177ddb58bb6f13ce0b2
Opcode Fuzzy Hash: 7fef7b694fc0365200b6f169806b3f9b97013f915ba99a609be634dbc16a6a0f
Instruction Fuzzy Hash: C5E0BF72014611AEF7252B51FC45F7777E9FF04320B14886DF5A5814B1DB626CD4DB50

Function 00BECAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C30C40

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: ae152f52f7222e78ba63c20fc2208a0cbc52c9d26948c3f0bc0dacf4150cac1e
Instruction ID: 3ae74b063fdcd07ebd5f3fc03c21fc964047d885781bd7864dd4f19b018a8487
Opcode Fuzzy Hash: ae152f52f7222e78ba63c20fc2208a0cbc52c9d26948c3f0bc0dacf4150cac1e
Instruction Fuzzy Hash: 76328B71910258DFCF14DF91D891AEDBBF5FF04304F2080A9E816AB292D735AE4ACB61

Function 00C1676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C16766,?,?,00000008,?,?,00C1FEFE,00000000), ref: 00C16998

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 655e46fead92986dfaf1e846f0e4bd25116a7500c3eb0f75c7095c6323f71781
Instruction ID: a22164a08ce084b32a2e76484fec16ec2fd92fad89556758319e130cdc17e536
Opcode Fuzzy Hash: 655e46fead92986dfaf1e846f0e4bd25116a7500c3eb0f75c7095c6323f71781
Instruction Fuzzy Hash: 2CB12B31510609DFE715CF28C486BA57BE0FF46364F298658E8A9CF2E2C735DA91DB40

Function 00BFB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C3851F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b44dbcb073718065c28a22d9de16fa4cb2ac76c07a399ba47d39ab794a7f7354
Instruction ID: 0427d0ec519f261cd9dfa56e7e8338d846150f41986560999f4461eccfcd4929
Opcode Fuzzy Hash: b44dbcb073718065c28a22d9de16fa4cb2ac76c07a399ba47d39ab794a7f7354
Instruction Fuzzy Hash: BA125E719102299BDB54CF58C980AFEB7F5FF48710F14819AE949EB251EB309E89CF90

Function 00C5EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C5EABD

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ff772216678a84b7a0207f2e42fd4f514fa8e28e4b09cadc0684603a02c650c8
Instruction ID: e617c144dd8235608afcbeb355a255285ff23e308d1cda5334e39d3f8d7c24f9
Opcode Fuzzy Hash: ff772216678a84b7a0207f2e42fd4f514fa8e28e4b09cadc0684603a02c650c8
Instruction Fuzzy Hash: 16E04F352102049FC710EF6AD844E9AFBEDBF98760F00845AFD4AC7351DB70E9858B90

Function 00C009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C003EE), ref: 00C009DA

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 218e8337a0b869191a286323416d63245c6b3e90b3a479204d18acf19e8681ff
Instruction ID: 02e8b7bcbf5f407775b8133321c59f2dd7af74ba5387a93ca32bc0d1ad6273da
Opcode Fuzzy Hash: 218e8337a0b869191a286323416d63245c6b3e90b3a479204d18acf19e8681ff
Instruction Fuzzy Hash:

Function 00C0781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C0798B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 8d8ecaf23c03ada1e37b4e8651dca51d9181ffd3ce86910e9bc556c6e1554561
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 40518C71F0C7455BDF3C8669895D7BE23899B42300F188709D8A6E72C2C615FF45E362

Function 00C16DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046a34c57ac39b82582f980a585e4c8540a63f6633883ca1e0cea789c81cb849
Instruction ID: 4dba00b5c23bfacae5045b4251a812a45159d5c042d6e724c34710a6b952d97c
Opcode Fuzzy Hash: 046a34c57ac39b82582f980a585e4c8540a63f6633883ca1e0cea789c81cb849
Instruction Fuzzy Hash: 5B323432D29F014DD7239634CC26339A699AFB73C5F15C737E82AB5AA5EB28C5C35204

Function 00BFCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66ac9e54ea8b58b547f701a783e40b09156521bd773f37f3afcfe1b5ccc4961
Instruction ID: 21b1aefcbb264c1efa29fc192f41bf93e789cca6f0cd8bffc5115ba4c5ffd2d6
Opcode Fuzzy Hash: d66ac9e54ea8b58b547f701a783e40b09156521bd773f37f3afcfe1b5ccc4961
Instruction Fuzzy Hash: F7324B31A1015D8BCF28CF29C5D467DBBE1EF45304F28856AE969EB292D330DE85DB41

Function 00BE7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fabe75da94e67fdcd19d47d855d07b97dbe0ed93595ca5ed8968786fbcc046
Instruction ID: 4f11398b7cd35b4113b8900965a0c2d5d558efecd4797e2eece5d1cae111ab68
Opcode Fuzzy Hash: 98fabe75da94e67fdcd19d47d855d07b97dbe0ed93595ca5ed8968786fbcc046
Instruction Fuzzy Hash: D422E470A0465ADFDF14CF65D881AAEB3F5FF44300F204669E812E76A1EB36AE15CB50

Function 00BE91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ceb137c1cf831d03da34b22f2d57f5cfe76370efaebb088621fa00420eacac8
Instruction ID: 4bb99df9beeacccd9b73553d3bc8c597e4d62ae7fbcc8a2e09f623879025d9db
Opcode Fuzzy Hash: 2ceb137c1cf831d03da34b22f2d57f5cfe76370efaebb088621fa00420eacac8
Instruction Fuzzy Hash: 2B02D7B0E0011AEBDF04DF55D881BAEB7F1FF44300F1081A9E916AB291EB31AE55DB95

Function 00C19EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab8a43438c477b0f102f0d75ff568f4e75aa1bb8fd7e90d6194dec623f482b2
Instruction ID: 321d0caf178d92a08f957c4e23e9bdb525d51867642b225df23e257d675f1d10
Opcode Fuzzy Hash: cab8a43438c477b0f102f0d75ff568f4e75aa1bb8fd7e90d6194dec623f482b2
Instruction Fuzzy Hash: 72B1D230D2AF814DD2239639883133AB65C6FBB6D5F91E71BFC2674D62EB2185834244

Function 00C01C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: ef11f6e14bf3d579bca23a54dc8238cc3c6d97fa88ac6c9d8c0b4ee81a6ef14d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EF9158726081A34ADB2A463E857407EFFE15A923A171E079DDCF2CA1C5FE14DA54D620

Function 00C01F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 938c863323c3e1bea0bb1d5ed05fb6027f7e490e5d64c1831a40dabed2fac83d
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 3C9157722091A349DB6D477A857803EFFE15A923A131E079ED8F2CB1C5EE24CB54E620

Function 00C019B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: aa15e9e830b3dc49d5b5cde504039063023b21d7217c5d8205c311bdd308c12e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 779124722090E34EDB6D467A857403EFFE15A923A271E079ED8F2CA1C5FE24D754E620

Function 00C07A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcfe012c5a29bc00f4e08fe5f30b1c2679c647aa1f1b4800afcc0dc158b0d177
Instruction ID: 512ade1f528523e015924a226a95fdde68a402f7c711fd631043a02042edfafa
Opcode Fuzzy Hash: dcfe012c5a29bc00f4e08fe5f30b1c2679c647aa1f1b4800afcc0dc158b0d177
Instruction Fuzzy Hash: 95616631F0874967EE3C9A2888A5BBE3394DF41700F105B1AE893CB2C1DA51BF42E765

Function 00C07CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f3c6608c6c655118c0daecf270d3b07dfd66e449139b3ee47e8fbff32be7b3
Instruction ID: f46a5e90d156cf0b2b53d159f33caf8bb0e65173a647df49604586cd0e8cf229
Opcode Fuzzy Hash: a2f3c6608c6c655118c0daecf270d3b07dfd66e449139b3ee47e8fbff32be7b3
Instruction Fuzzy Hash: 94617A71E087096ADE3C4A288895BBF2398EF42700F104B59E9A3DB6C1DA12FF46D355

Function 00C01706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 51e7fbe5a6ebde81c1f5324556ab50f9b6c24794f80b4d14f2f572deea0e4e62
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 3A8175326090A34EDB6D467E857443EFFE15A923A131E479DD8F2CB1C1EE24C754E620

Function 00C52046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22960d7805f1879f8434e3e99e4612a322a0eed74900141a1abc300075900319
Instruction ID: 33521f4e22c52982da86f3901b4ba7f7e2227b6946b113026334f088053e04c0
Opcode Fuzzy Hash: 22960d7805f1879f8434e3e99e4612a322a0eed74900141a1abc300075900319
Instruction Fuzzy Hash: 7621B7326216118BDB28CF79C82377E73E5A794310F158A2EE4A7C77D0DE35A944CB84

Function 00C62ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C62B30
DeleteObject.GDI32(00000000), ref: 00C62B43
DestroyWindow.USER32 ref: 00C62B52
GetDesktopWindow.USER32 ref: 00C62B6D
GetWindowRect.USER32(00000000), ref: 00C62B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C62CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C62CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C62CF8
GetClientRect.USER32(00000000,?), ref: 00C62D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C62D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C62D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C62D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C62D80
GlobalLock.KERNEL32(00000000), ref: 00C62D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C62D98
GlobalUnlock.KERNEL32(00000000), ref: 00C62DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C62DA8
GlobalFree.KERNEL32(00000000), ref: 00C62DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C62DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C7FC38,00000000), ref: 00C62DDB
GlobalFree.KERNEL32(00000000), ref: 00C62DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C62E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C62E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C62E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C6303F

Strings

static, xrefs: 00C62D3A, 00C62E91
, xrefs: 00C62FC5
AutoIt v3, xrefs: 00C62CF2
DISPLAY, xrefs: 00C62EA2

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 7de0f9b0b9d9d8f272341ed103bd95d9262eb934ef7fda1a2861ca714a54d536
Instruction ID: 73e58752dd50592fa079597b4817d7b2156bfe89bc387d57732a1ec3d9bd8cd0
Opcode Fuzzy Hash: 7de0f9b0b9d9d8f272341ed103bd95d9262eb934ef7fda1a2861ca714a54d536
Instruction Fuzzy Hash: D2024971900215AFDB24DFA4CC89FAE7BB9EF48711F048158F919AB2A1DB74AD41CB60

Function 00C770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C7712F
GetSysColorBrush.USER32(0000000F), ref: 00C77160
GetSysColor.USER32(0000000F), ref: 00C7716C
SetBkColor.GDI32(?,000000FF), ref: 00C77186
SelectObject.GDI32(?,?), ref: 00C77195
InflateRect.USER32(?,000000FF,000000FF), ref: 00C771C0
GetSysColor.USER32(00000010), ref: 00C771C8
CreateSolidBrush.GDI32(00000000), ref: 00C771CF
FrameRect.USER32(?,?,00000000), ref: 00C771DE
DeleteObject.GDI32(00000000), ref: 00C771E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00C77230
FillRect.USER32(?,?,?), ref: 00C77262
GetWindowLongW.USER32(?,000000F0), ref: 00C77284

Part of subcall function 00C773E8: GetSysColor.USER32(00000012), ref: 00C77421
Part of subcall function 00C773E8: SetTextColor.GDI32(?,?), ref: 00C77425
Part of subcall function 00C773E8: GetSysColorBrush.USER32(0000000F), ref: 00C7743B
Part of subcall function 00C773E8: GetSysColor.USER32(0000000F), ref: 00C77446
Part of subcall function 00C773E8: GetSysColor.USER32(00000011), ref: 00C77463
Part of subcall function 00C773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C77471
Part of subcall function 00C773E8: SelectObject.GDI32(?,00000000), ref: 00C77482
Part of subcall function 00C773E8: SetBkColor.GDI32(?,00000000), ref: 00C7748B
Part of subcall function 00C773E8: SelectObject.GDI32(?,?), ref: 00C77498
Part of subcall function 00C773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00C774B7
Part of subcall function 00C773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C774CE
Part of subcall function 00C773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C774DB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8f90e778437ace055bed464a6ac619c23a3593ca8b894717725d151d7c1bd4ba
Instruction ID: c87331ba099d5920108bb90dc568df295bf78768c8c1e2e9d87b198952704420
Opcode Fuzzy Hash: 8f90e778437ace055bed464a6ac619c23a3593ca8b894717725d151d7c1bd4ba
Instruction Fuzzy Hash: 53A18F72008306EFD7109F60DC88B6E7BA9FB49321F108B1DF96A961A1D771E984DB51

Function 00BF8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00BF8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C36AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C36AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C36F43

Part of subcall function 00BF8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BF8BE8,?,00000000,?,?,?,?,00BF8BBA,00000000,?), ref: 00BF8FC5

SendMessageW.USER32(?,00001053), ref: 00C36F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C36F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C36FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C36FB7

Strings

0, xrefs: 00C36DCF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5c50e7603476dd2d6fb7b17fb374a40ac796acfa4f070780d3ea500cf0e56fc2
Instruction ID: 932f9a3ba038faed1212fc90a71d2a7d4582792454e5e4b5011ca304a7ba2b2a
Opcode Fuzzy Hash: 5c50e7603476dd2d6fb7b17fb374a40ac796acfa4f070780d3ea500cf0e56fc2
Instruction Fuzzy Hash: 5112CE30610241EFDB25CF24D894BBAB7E1FB48300F5885A9F5A98B261CB31ED95DF91

Function 00C62711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C6273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C6286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C628A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C628B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C62900
GetClientRect.USER32(00000000,?), ref: 00C6290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C62955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C62964
GetStockObject.GDI32(00000011), ref: 00C62974
SelectObject.GDI32(00000000,00000000), ref: 00C62978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C62988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C62991
DeleteDC.GDI32(00000000), ref: 00C6299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C629C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C629DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C62A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C62A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C62A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C62A77
GetStockObject.GDI32(00000011), ref: 00C62A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C62A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C62A97

Strings

static, xrefs: 00C6294F, 00C62A71
msctls_progress32, xrefs: 00C62A13
AutoIt v3, xrefs: 00C628F8
DISPLAY, xrefs: 00C6295A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 349a1e5ec1357549c4cc0d7b3aefdbd2213589880ae1fb3dff0a60dc4c45b204
Instruction ID: 3778bc278b3c13ca1d317ecd31ec97a254eea80adce7f9a46bf392baa34c8108
Opcode Fuzzy Hash: 349a1e5ec1357549c4cc0d7b3aefdbd2213589880ae1fb3dff0a60dc4c45b204
Instruction Fuzzy Hash: 62B16D71A00605AFEB24DF69DC89FAE7BF9EB08710F148158F915E72A0DB74AD40CB90

Function 00C54ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C54AED
GetDriveTypeW.KERNEL32(?,00C7CB68,?,\\.\,00C7CC08), ref: 00C54BCA
SetErrorMode.KERNEL32(00000000,00C7CB68,?,\\.\,00C7CC08), ref: 00C54D36

Strings

Fixed, xrefs: 00C54C09
1394, xrefs: 00C54C9F
Unknown, xrefs: 00C54BED, 00C54C83
SATA, xrefs: 00C54CD0
Removable, xrefs: 00C54C10, 00C54C15
Fibre, xrefs: 00C54CAD
RAMDisk, xrefs: 00C54BF4
ATA, xrefs: 00C54C98
MMC, xrefs: 00C54CDE
PhysicalDrive, xrefs: 00C54B76
SAS, xrefs: 00C54CC9
SCSI, xrefs: 00C54C8A
RAID, xrefs: 00C54CBB
iSCSI, xrefs: 00C54CC2
CDROM, xrefs: 00C54BFB
FileBackedVirtual, xrefs: 00C54CEC
\\.\, xrefs: 00C54B3F
SSD, xrefs: 00C54C4A
USB, xrefs: 00C54CB4
ATAPI, xrefs: 00C54C91
Network, xrefs: 00C54C02
Virtual, xrefs: 00C54CE5
SSA, xrefs: 00C54CA6

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4677bfb710b2f24c5bdf538e143cfc5a5fe0017c20a4b2a069629b9cfab52799
Instruction ID: 84043586baae8e4b3182ee419bae269892fa5ff24af75ebef4a9a41a687c773a
Opcode Fuzzy Hash: 4677bfb710b2f24c5bdf538e143cfc5a5fe0017c20a4b2a069629b9cfab52799
Instruction Fuzzy Hash: 7961E538605106EBCB0CDF25C981D6C77B1EB8534EB288065FC16AB291DB31EEC9DB49

Function 00C773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C77421
SetTextColor.GDI32(?,?), ref: 00C77425
GetSysColorBrush.USER32(0000000F), ref: 00C7743B
GetSysColor.USER32(0000000F), ref: 00C77446
CreateSolidBrush.GDI32(?), ref: 00C7744B
GetSysColor.USER32(00000011), ref: 00C77463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C77471
SelectObject.GDI32(?,00000000), ref: 00C77482
SetBkColor.GDI32(?,00000000), ref: 00C7748B
SelectObject.GDI32(?,?), ref: 00C77498
InflateRect.USER32(?,000000FF,000000FF), ref: 00C774B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C774CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00C774DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C7752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C77554
InflateRect.USER32(?,000000FD,000000FD), ref: 00C77572
DrawFocusRect.USER32(?,?), ref: 00C7757D
GetSysColor.USER32(00000011), ref: 00C7758E
SetTextColor.GDI32(?,00000000), ref: 00C77596
DrawTextW.USER32(?,00C770F5,000000FF,?,00000000), ref: 00C775A8
SelectObject.GDI32(?,?), ref: 00C775BF
DeleteObject.GDI32(?), ref: 00C775CA
SelectObject.GDI32(?,?), ref: 00C775D0
DeleteObject.GDI32(?), ref: 00C775D5
SetTextColor.GDI32(?,?), ref: 00C775DB
SetBkColor.GDI32(?,?), ref: 00C775E5

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 262e9923228cc318482b8960878410ede2d5dda53d5752ef8198b863d75ed60b
Instruction ID: 8100e8b38d14b8348e760b687120dbe75b01cf809d990a32525554ff797026d4
Opcode Fuzzy Hash: 262e9923228cc318482b8960878410ede2d5dda53d5752ef8198b863d75ed60b
Instruction Fuzzy Hash: D7615272900219AFDF019FA4DC89BAE7F79EB08320F118225F919A72A1D7719980DF90

Function 00C70FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C71128
GetDesktopWindow.USER32 ref: 00C7113D
GetWindowRect.USER32(00000000), ref: 00C71144
GetWindowLongW.USER32(?,000000F0), ref: 00C71199
DestroyWindow.USER32(?), ref: 00C711B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C711ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C7120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C7121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00C71232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C71245
IsWindowVisible.USER32(00000000), ref: 00C712A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C712BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C712D0
GetWindowRect.USER32(00000000,?), ref: 00C712E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00C7130E
GetMonitorInfoW.USER32(00000000,?), ref: 00C71328
CopyRect.USER32(?,?), ref: 00C7133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00C713AA

Strings

tooltips_class32, xrefs: 00C711E6
0, xrefs: 00C710D3
(, xrefs: 00C7131B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ec1b458cb8bd291326a63258846777ae5778dd2780f5b829a4aec997883bbd0f
Instruction ID: 2ccd3146011b3cdfe46d9ebfde02f8c6dfaeb5b9bcfd108b7b54421cd29872a4
Opcode Fuzzy Hash: ec1b458cb8bd291326a63258846777ae5778dd2780f5b829a4aec997883bbd0f
Instruction Fuzzy Hash: BBB16871608341AFD714DF69C884B6EBBE4FF88350F04895CF9999B2A1CB31E945CB92

Function 00BF8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BF8968
GetSystemMetrics.USER32(00000007), ref: 00BF8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BF899B
GetSystemMetrics.USER32(00000008), ref: 00BF89A3
GetSystemMetrics.USER32(00000004), ref: 00BF89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BF89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BF89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BF8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BF8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00BF8A5A
GetStockObject.GDI32(00000011), ref: 00BF8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF8A81

Part of subcall function 00BF912D: GetCursorPos.USER32(?), ref: 00BF9141
Part of subcall function 00BF912D: ScreenToClient.USER32(00000000,?), ref: 00BF915E
Part of subcall function 00BF912D: GetAsyncKeyState.USER32(00000001), ref: 00BF9183
Part of subcall function 00BF912D: GetAsyncKeyState.USER32(00000002), ref: 00BF919D

SetTimer.USER32(00000000,00000000,00000028,00BF90FC), ref: 00BF8AA8

Strings

AutoIt v3 GUI, xrefs: 00BF8A20

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 913302e58f5bebd440c24a25de615e0f28786fc53e519ffe7d7b498314f95356
Instruction ID: f75e16c9d805e678df324e8824d50ac25dc851265a03ef7c1157db57ed3d4ead
Opcode Fuzzy Hash: 913302e58f5bebd440c24a25de615e0f28786fc53e519ffe7d7b498314f95356
Instruction Fuzzy Hash: B4B16071A0020AAFDF14DFA8CC95BAE7BB5FB48314F148269FA15A7290DB74E940CB51

Function 00C40D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C41114
Part of subcall function 00C410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C40B9B,?,?,?), ref: 00C41120
Part of subcall function 00C410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C40B9B,?,?,?), ref: 00C4112F
Part of subcall function 00C410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C40B9B,?,?,?), ref: 00C41136
Part of subcall function 00C410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C4114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C40DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C40E29
GetLengthSid.ADVAPI32(?), ref: 00C40E40
GetAce.ADVAPI32(?,00000000,?), ref: 00C40E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C40E96
GetLengthSid.ADVAPI32(?), ref: 00C40EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C40EB5
HeapAlloc.KERNEL32(00000000), ref: 00C40EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C40EDD
CopySid.ADVAPI32(00000000), ref: 00C40EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C40F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C40F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C40F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C40F6E
HeapFree.KERNEL32(00000000), ref: 00C40F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C40F7E
HeapFree.KERNEL32(00000000), ref: 00C40F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C40F8E
HeapFree.KERNEL32(00000000), ref: 00C40F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00C40FA1
HeapFree.KERNEL32(00000000), ref: 00C40FA8

Part of subcall function 00C41193: GetProcessHeap.KERNEL32(00000008,00C40BB1,?,00000000,?,00C40BB1,?), ref: 00C411A1
Part of subcall function 00C41193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C40BB1,?), ref: 00C411A8
Part of subcall function 00C41193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C40BB1,?), ref: 00C411B7

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 15f34ff149c3d9ce7b03f6ad9d9e880c0f5c4e9995e15493179df05b962efe6d
Instruction ID: 0d468593343c8a292373b9bbda120b649295396766083a817210f9753c406010
Opcode Fuzzy Hash: 15f34ff149c3d9ce7b03f6ad9d9e880c0f5c4e9995e15493179df05b962efe6d
Instruction Fuzzy Hash: 69716F7190020AABDF20DFA4DC45FAEBBB8BF05310F144129FA69E7191D7359A55CBA0

Function 00C6C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C6C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C7CC08,00000000,?,00000000,?,?), ref: 00C6C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C6C5A4
_wcslen.LIBCMT ref: 00C6C5F4
_wcslen.LIBCMT ref: 00C6C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C6C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C6C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C6C84D
RegCloseKey.ADVAPI32(?), ref: 00C6C881
RegCloseKey.ADVAPI32(00000000), ref: 00C6C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C6C960

Strings

REG_MULTI_SZ, xrefs: 00C6C6F5
REG_EXPAND_SZ, xrefs: 00C6C5CD
REG_QWORD, xrefs: 00C6C8C3
REG_DWORD, xrefs: 00C6C804
REG_SZ, xrefs: 00C6C644
REG_BINARY, xrefs: 00C6C913

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ef8f0afdf95a42926cfac8626129017bf6a65c51b73fa44d4b48f13bb232563b
Instruction ID: ec69a854f4046097a67b5d59f0c072fd607ecfcf5a0f1f4c5021852d99a11eda
Opcode Fuzzy Hash: ef8f0afdf95a42926cfac8626129017bf6a65c51b73fa44d4b48f13bb232563b
Instruction Fuzzy Hash: 4E1257356042019FD724DF29C891A2AB7E5FF88714F04889CF99A9B3A2DB31ED41CB81

Function 00C7091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C709C6
_wcslen.LIBCMT ref: 00C70A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C70A54
_wcslen.LIBCMT ref: 00C70A8A
_wcslen.LIBCMT ref: 00C70B06
_wcslen.LIBCMT ref: 00C70B81

Part of subcall function 00BFF9F2: _wcslen.LIBCMT ref: 00BFF9FD

Part of subcall function 00C42BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C42BFA

Strings

UNCHECK, xrefs: 00C70D3E
GETTEXT, xrefs: 00C70C97
EXISTS, xrefs: 00C70B7C, 00C70B97
EXPAND, xrefs: 00C70BF8
GETITEMCOUNT, xrefs: 00C70C1E
ISCHECKED, xrefs: 00C70CE1
GETTOTALCOUNT, xrefs: 00C709F2, 00C70A17
CHECK, xrefs: 00C70A85, 00C70AA0
SELECT, xrefs: 00C70D11
COLLAPSE, xrefs: 00C70B01, 00C70B1C
GETSELECTED, xrefs: 00C70C4E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 5dca95fce3a342e003097e731ef7311404f12dcf2fd64a0b583f1f1dbd2f5baf
Instruction ID: 702859c626099be967732b5c3a5a451268aa06deb6bd5f678645d5fc1b8d13d0
Opcode Fuzzy Hash: 5dca95fce3a342e003097e731ef7311404f12dcf2fd64a0b583f1f1dbd2f5baf
Instruction Fuzzy Hash: 03E17D75208742DFC714DF25C45192AB7E1BF98318F24899DF8AA9B3A2D730EE45CB81

Function 00C6C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C6B6AE,?,?), ref: 00C6C9B5
_wcslen.LIBCMT ref: 00C6C9F1
_wcslen.LIBCMT ref: 00C6CA68
_wcslen.LIBCMT ref: 00C6CA9E
_wcslen.LIBCMT ref: 00C6CAF9
_wcslen.LIBCMT ref: 00C6CB2F
_wcslen.LIBCMT ref: 00C6CB7F

Strings

HKLM, xrefs: 00C6CA98, 00C6CA9D
HKEY_CURRENT_CONFIG, xrefs: 00C6CB79, 00C6CB7E
HKU, xrefs: 00C6CBF0
HKEY_USERS, xrefs: 00C6CBDF
HKEY_CURRENT_USER, xrefs: 00C6CBBD
HKEY_LOCAL_MACHINE, xrefs: 00C6CA62, 00C6CA67
HKEY_CLASSES_ROOT, xrefs: 00C6CAF3, 00C6CAF8
HKCC, xrefs: 00C6CBAC
HKCR, xrefs: 00C6CB29, 00C6CB2E
HKCU, xrefs: 00C6CBCE

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ff87f36fd63c7d2c0a940c3557e909ee208986f2035fb136073d560e9fe433f2
Instruction ID: 4c8f587cf43815d9942f798f1cc7c347f5de2d7c9c5f7387010fc3ecde73ccf6
Opcode Fuzzy Hash: ff87f36fd63c7d2c0a940c3557e909ee208986f2035fb136073d560e9fe433f2
Instruction Fuzzy Hash: F071027260016B8BCB30DEA9CCC16BF3395AFA1754B250228FCA697285E635CE45D3A0

Function 00C7833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C7835A
_wcslen.LIBCMT ref: 00C7836E
_wcslen.LIBCMT ref: 00C78391
_wcslen.LIBCMT ref: 00C783B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C783F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00C7361A,?), ref: 00C7844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C78487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C784CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C78501
FreeLibrary.KERNEL32(?), ref: 00C7850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C7851D
DestroyIcon.USER32(?), ref: 00C7852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C78549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C78555

Strings

.icl, xrefs: 00C78368
.exe, xrefs: 00C78388
.dll, xrefs: 00C783AB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 713bdb9f17421f2d7f6104fe29733ff023db58febd0b9435497229baa49eca87
Instruction ID: cf8877046d5945b06e685dda54e02f715b87d044f2b6859c74dfe610123d1ac8
Opcode Fuzzy Hash: 713bdb9f17421f2d7f6104fe29733ff023db58febd0b9435497229baa49eca87
Instruction Fuzzy Hash: 5361C271540216BEEB14DF64CC89BBF77ACBB04711F108619FA29D60D1DBB49A84D7A0

Function 00BE7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00C25153
Bad directive syntax error, xrefs: 00C2519A
#notrayicon, xrefs: 00BE77E7
#cs, xrefs: 00BE7873, 00BE78C5
#pragma compile, xrefs: 00BE77D3
#comments-start, xrefs: 00BE785F, 00BE78B1
#comments-end, xrefs: 00BE78D9
', xrefs: 00C25169
Cannot parse #include, xrefs: 00C25279
#include, xrefs: 00BE7847
#ce, xrefs: 00BE78ED
#include-once, xrefs: 00BE782F
#OnAutoItStartRegister, xrefs: 00BE7817
Unterminated group of comments, xrefs: 00C2528C
#requireadmin, xrefs: 00BE77FF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 913538e28e6748dba3f261c2fdbc946263002ac803c13dede96db83318620cea
Instruction ID: 3b0e45dd33da9d641734ba6d9fcaed6ae49e70f10a07f3227247a695a66dd89f
Opcode Fuzzy Hash: 913538e28e6748dba3f261c2fdbc946263002ac803c13dede96db83318620cea
Instruction Fuzzy Hash: BC81C171684215BBDB21AF61DC82FBF37E8AF15300F0480A4F919AB192EB70DE55D7A1

Function 00C53E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C53EF8
_wcslen.LIBCMT ref: 00C53F03
_wcslen.LIBCMT ref: 00C53F5A
_wcslen.LIBCMT ref: 00C53F98
GetDriveTypeW.KERNEL32(?), ref: 00C53FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C5401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C54059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C54087

Strings

close, xrefs: 00C53EFE, 00C53F18
close cd wait, xrefs: 00C54072
open , xrefs: 00C53FE5
wait, xrefs: 00C54044
open, xrefs: 00C53F54, 00C53F59
type cdaudio alias cd wait, xrefs: 00C54001
closed, xrefs: 00C53F08, 00C53F2D, 00C53F46, 00C53F7E, 00C53F97
set cd door , xrefs: 00C54028

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: eba855e6e85b69b21d4e42ca86740abc5825f64ef4cc5fc474742b31522d6d54
Instruction ID: 9034bbb84e599f066b09cbd34fe3a1bc5c205e698ccf2564f51ee4df72380912
Opcode Fuzzy Hash: eba855e6e85b69b21d4e42ca86740abc5825f64ef4cc5fc474742b31522d6d54
Instruction Fuzzy Hash: 3E7114725042029FC710EF25C88186FB7F4EF947A8F104A6DF9A597291EB30DE89CB91

Function 00C45A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C45A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C45A40
SetWindowTextW.USER32(?,?), ref: 00C45A57
GetDlgItem.USER32(?,000003EA), ref: 00C45A6C
SetWindowTextW.USER32(00000000,?), ref: 00C45A72
GetDlgItem.USER32(?,000003E9), ref: 00C45A82
SetWindowTextW.USER32(00000000,?), ref: 00C45A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C45AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C45AC3
GetWindowRect.USER32(?,?), ref: 00C45ACC
_wcslen.LIBCMT ref: 00C45B33
SetWindowTextW.USER32(?,?), ref: 00C45B6F
GetDesktopWindow.USER32 ref: 00C45B75
GetWindowRect.USER32(00000000), ref: 00C45B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C45BD3
GetClientRect.USER32(?,?), ref: 00C45BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C45C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C45C2F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: a40951b594b3ce3023ecc5714eaecdeaaf034efa184aac47403b120c9cd200b0
Instruction ID: 0197cb146744f8bf136d8ca80a08cc97e0ee0546f7c0c6daf23c724a240aa1e2
Opcode Fuzzy Hash: a40951b594b3ce3023ecc5714eaecdeaaf034efa184aac47403b120c9cd200b0
Instruction Fuzzy Hash: B7718D31900B0AAFDB20DFA8CE85BAEBBF5FF48704F10451CE556A25A1D775EA40CB50

Function 00C5FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C5FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00C5FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00C5FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00C5FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00C5FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00C5FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00C5FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00C5FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00C5FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00C5FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00C5FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00C5FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00C5FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00C5FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00C5FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00C5FECC
GetCursorInfo.USER32(?), ref: 00C5FEDC
GetLastError.KERNEL32 ref: 00C5FF1E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1a8824691088082fedbb6f0b93d398518d6b1f50c58aceee048a6f4f4db04d5d
Instruction ID: 479db877854ee87cbf8ebd77b1d58ecbedc6f001773c9cb818a5f8bfad4b25fa
Opcode Fuzzy Hash: 1a8824691088082fedbb6f0b93d398518d6b1f50c58aceee048a6f4f4db04d5d
Instruction Fuzzy Hash: 9D4172B0D043196ADB10DFBA8C8985EBFE8FF04354B50462AF51DE7281DB78A941CF94

Function 00C000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C000C6

Part of subcall function 00C000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00CB070C,00000FA0,2F3AC050,?,?,?,?,00C223B3,000000FF), ref: 00C0011C
Part of subcall function 00C000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C223B3,000000FF), ref: 00C00127
Part of subcall function 00C000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C223B3,000000FF), ref: 00C00138
Part of subcall function 00C000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C0014E
Part of subcall function 00C000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C0015C
Part of subcall function 00C000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C0016A
Part of subcall function 00C000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C00195
Part of subcall function 00C000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C001A0

___scrt_fastfail.LIBCMT ref: 00C000E7

Part of subcall function 00C000A3: __onexit.LIBCMT ref: 00C000A9

Strings

InitializeConditionVariable, xrefs: 00C00148
WakeAllConditionVariable, xrefs: 00C00162
SleepConditionVariableCS, xrefs: 00C00154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C00122
kernel32.dll, xrefs: 00C00133

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 459c6ce54af5935904cc353c194a458c4d0c4355ee9b22637e5532a64006fef7
Instruction ID: b4cc03a14af15cb7bb765787e80aa297935dc4a938e156683631838bd7a0b3bb
Opcode Fuzzy Hash: 459c6ce54af5935904cc353c194a458c4d0c4355ee9b22637e5532a64006fef7
Instruction Fuzzy Hash: 1B21F633A447126BE7205F74AC8AB6E77D4EB05B51F22413EF909A36D1DF709840CA90

Function 00C430F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C4318D
_wcslen.LIBCMT ref: 00C431F8

Strings

NAME, xrefs: 00C43335, 00C43346
REGEXPCLASS, xrefs: 00C43255, 00C43266
CLASSNN, xrefs: 00C431F3, 00C43204
CLASS, xrefs: 00C43188, 00C431A5
INSTANCE, xrefs: 00C43453
TEXT, xrefs: 00C4347C

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b49c778461b078ca66a3b733cf1d3cfa3a32a88834b668fa7a61f214866e1c11
Instruction ID: 2616b3fc7f313f09a6012ed6c9e9078e425d8ccc1db5ac17b7d71f5e603ebca0
Opcode Fuzzy Hash: b49c778461b078ca66a3b733cf1d3cfa3a32a88834b668fa7a61f214866e1c11
Instruction Fuzzy Hash: 30E1E632A00556ABCF189FB4C8417EEBBB4BF94710F548129E466E7290DB70AF85D7A0

Function 00C544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00C7CC08), ref: 00C54527
_wcslen.LIBCMT ref: 00C5453B
_wcslen.LIBCMT ref: 00C54599
_wcslen.LIBCMT ref: 00C545F4
_wcslen.LIBCMT ref: 00C5463F
_wcslen.LIBCMT ref: 00C546A7

Part of subcall function 00BFF9F2: _wcslen.LIBCMT ref: 00BFF9FD

GetDriveTypeW.KERNEL32(?,00CA6BF0,00000061), ref: 00C54743

Strings

unknown, xrefs: 00C54708
network, xrefs: 00C5469D, 00C546A2
ramdisk, xrefs: 00C546F1
removable, xrefs: 00C545EA, 00C545EF
all, xrefs: 00C54531, 00C54536
fixed, xrefs: 00C54635, 00C5463A
cdrom, xrefs: 00C5458F, 00C54594

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: eccbb3dd0fa358b5329b329d74eb0a2f92b1eea03e4a5ea5bb12cfdd81167be7
Instruction ID: 27fc36b4312b8968cabdf3818bc3cbcbac9c2b53f00499ec73f190082896f16f
Opcode Fuzzy Hash: eccbb3dd0fa358b5329b329d74eb0a2f92b1eea03e4a5ea5bb12cfdd81167be7
Instruction Fuzzy Hash: 7FB136756083029FC718DF28C890A6EB7E4AFA5759F50491DF8A6C3291EB30D9C8CB52

Function 00C63FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C7CC08), ref: 00C640BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C640CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00C7CC08), ref: 00C640F2
FreeLibrary.KERNEL32(00000000,?,00C7CC08), ref: 00C6413E
StringFromGUID2.OLE32(?,?,00000028,?,00C7CC08), ref: 00C641A8
SysFreeString.OLEAUT32(00000009), ref: 00C64262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C642C8
SysFreeString.OLEAUT32(?), ref: 00C642F2

Strings

GetModuleHandleExW, xrefs: 00C640C7
kernel32.dll, xrefs: 00C640B6

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: ea5bd846b25cd8dd2d539e4e057080e63636cc7c4f952e9f39dc2aa3fea25c15
Instruction ID: 6c86a87966dec93b116741aaaba83ee85ae05e899f9f598a3bf4057dde8ca9d0
Opcode Fuzzy Hash: ea5bd846b25cd8dd2d539e4e057080e63636cc7c4f952e9f39dc2aa3fea25c15
Instruction Fuzzy Hash: 7D122B75A00115EFDB28DF54C8C4EAEBBB5FF45314F248098E9169B251DB31EE86CBA0

Function 00BE326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00CB1990), ref: 00C22F8D
GetMenuItemCount.USER32(00CB1990), ref: 00C2303D
GetCursorPos.USER32(?), ref: 00C23081
SetForegroundWindow.USER32(00000000), ref: 00C2308A
TrackPopupMenuEx.USER32(00CB1990,00000000,?,00000000,00000000,00000000), ref: 00C2309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C230A9

Strings

0, xrefs: 00BE327D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 788c1d9ed64e645e0932076c3f331c2caf3a542bbe62203b711177e2dbfab891
Instruction ID: 67fb7bc3f2a7be11257d61a8171f7cf5104348da898cec2a6fea882938db72a6
Opcode Fuzzy Hash: 788c1d9ed64e645e0932076c3f331c2caf3a542bbe62203b711177e2dbfab891
Instruction Fuzzy Hash: 34712A30644266BEEB218F65DDC9F9ABFB4FF04724F204216F6246A1E0C7B5AE50D750

Function 00C76CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00C76DEB

Part of subcall function 00BE6B57: _wcslen.LIBCMT ref: 00BE6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C76E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C76E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C76E94
DestroyWindow.USER32(?), ref: 00C76EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BE0000,00000000), ref: 00C76EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C76EFD
GetDesktopWindow.USER32 ref: 00C76F16
GetWindowRect.USER32(00000000), ref: 00C76F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C76F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C76F4D

Part of subcall function 00BF9944: GetWindowLongW.USER32(?,000000EB), ref: 00BF9952

Strings

tooltips_class32, xrefs: 00C76E58, 00C76EDD
0, xrefs: 00C76D98

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: d5178c4e5ee79e328f3350c0b113a7da05c172a53af423f88d81a0cb05619176
Instruction ID: a386a09c2ac8f480b2b0e3924a3f852c911ecb173e69261825564feb471b3998
Opcode Fuzzy Hash: d5178c4e5ee79e328f3350c0b113a7da05c172a53af423f88d81a0cb05619176
Instruction Fuzzy Hash: 53719770504241AFDB21DF28DC98FBABBF9FB89304F54851DF9A987261C770AA49CB11

Function 00C7911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BF9BB2

DragQueryPoint.SHELL32(?,?), ref: 00C79147

Part of subcall function 00C77674: ClientToScreen.USER32(?,?), ref: 00C7769A
Part of subcall function 00C77674: GetWindowRect.USER32(?,?), ref: 00C77710
Part of subcall function 00C77674: PtInRect.USER32(?,?,00C78B89), ref: 00C77720

SendMessageW.USER32(?,000000B0,?,?), ref: 00C791B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C791BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C791DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C79225
SendMessageW.USER32(?,000000B0,?,?), ref: 00C7923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00C79255
SendMessageW.USER32(?,000000B1,?,?), ref: 00C79277
DragFinish.SHELL32(?), ref: 00C7927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C79371

Strings

@GUI_DRAGFILE, xrefs: 00C79320
@GUI_DRAGID, xrefs: 00C792E9
@GUI_DROPID, xrefs: 00C7929E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 6ffe5348c87c94bf4cb7a1c7a70066694b5ffaac6194f43812ab0a563bc1f208
Instruction ID: 89ee5ee50408c1f8a368cea2e26129a07ce143f22c757f6e4ef2d7007e464f89
Opcode Fuzzy Hash: 6ffe5348c87c94bf4cb7a1c7a70066694b5ffaac6194f43812ab0a563bc1f208
Instruction Fuzzy Hash: 3B618B71108341AFC701EF65DC85EAFBBE8FF89750F404A2DF599921A1DB309A49CB92

Function 00C5C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C5C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C5C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C5C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C5C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C5C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C5C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C5C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C5C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C5C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C5C5F0
InternetCloseHandle.WININET(00000000), ref: 00C5C5FB

Strings

, xrefs: 00C5C575

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: f62b39ebb850b4faca975abd2a5eb6f8a33a56bc3c168748a9d52b91ad1b4a12
Instruction ID: 0da2cb779677f4340390d500e8d1fe5ba620aa40b380a8110f68d435a83a058e
Opcode Fuzzy Hash: f62b39ebb850b4faca975abd2a5eb6f8a33a56bc3c168748a9d52b91ad1b4a12
Instruction Fuzzy Hash: B9515DB4500305BFDB218FA5C9C8BAB7BBCFB04745F40441DF956D6250EB34EA88AB64

Function 00C7856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00C78592
GetFileSize.KERNEL32(00000000,00000000), ref: 00C785A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00C785AD
CloseHandle.KERNEL32(00000000), ref: 00C785BA
GlobalLock.KERNEL32(00000000), ref: 00C785C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C785D7
GlobalUnlock.KERNEL32(00000000), ref: 00C785E0
CloseHandle.KERNEL32(00000000), ref: 00C785E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C785F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C7FC38,?), ref: 00C78611
GlobalFree.KERNEL32(00000000), ref: 00C78621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00C78641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00C78671
DeleteObject.GDI32(00000000), ref: 00C78699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C786AF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 022e6f1161279d319aa4466416293045f55b09bd093caea314dc1a2be91fa299
Instruction ID: a37e082c170c48c7c7072d2300f390a63fbfc94127a76c7ed17d0c5177ac74bf
Opcode Fuzzy Hash: 022e6f1161279d319aa4466416293045f55b09bd093caea314dc1a2be91fa299
Instruction Fuzzy Hash: 2841F775640205BFDB119FA5CC8CFAE7BB8EB89B11F108059F919E7260DB309A45CB60

Function 00C514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C51502
VariantCopy.OLEAUT32(?,?), ref: 00C5150B
VariantClear.OLEAUT32(?), ref: 00C51517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C515FB
VarR8FromDec.OLEAUT32(?,?), ref: 00C51657
VariantInit.OLEAUT32(?), ref: 00C51708
SysFreeString.OLEAUT32(?), ref: 00C5178C
VariantClear.OLEAUT32(?), ref: 00C517D8
VariantClear.OLEAUT32(?), ref: 00C517E7
VariantInit.OLEAUT32(00000000), ref: 00C51823

Strings

Default, xrefs: 00C516AF
%4d%02d%02d%02d%02d%02d, xrefs: 00C51625

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 81ad96e47b109724d60b034bbc4f20ab268aa16a5ece9ec47d43c57e86a9cbbf
Instruction ID: cf2e534556956d417a39240db4151453822a3ab631bce4c99e4d3e1208b1140b
Opcode Fuzzy Hash: 81ad96e47b109724d60b034bbc4f20ab268aa16a5ece9ec47d43c57e86a9cbbf
Instruction Fuzzy Hash: 59D10235A00109DBCB00AF66D889B7DB7F5BF44701F5880AAFC16AB180EB34DD89DB65

Function 00C6B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C6C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C6B6AE,?,?), ref: 00C6C9B5
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6C9F1
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6CA68
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C6B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C6B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00C6B80A
RegCloseKey.ADVAPI32(?), ref: 00C6B87E
RegCloseKey.ADVAPI32(?), ref: 00C6B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C6B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C6B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C6B922
FreeLibrary.KERNEL32(00000000), ref: 00C6B983
RegCloseKey.ADVAPI32(00000000), ref: 00C6B994

Strings

advapi32.dll, xrefs: 00C6B8ED
RegDeleteKeyExW, xrefs: 00C6B8FE

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 56ad63563f4917bf2113e83d20f4fd93a8d314ef4b8c1b1ebf67e783826221a5
Instruction ID: f006fdfe055dd3d5c6fca3684d5db2676aac0fbf76dedd8f87788db8c3529976
Opcode Fuzzy Hash: 56ad63563f4917bf2113e83d20f4fd93a8d314ef4b8c1b1ebf67e783826221a5
Instruction Fuzzy Hash: 5DC17D35208241AFD724DF15C4D5F2ABBE5BF84318F14859CF5AA8B2A2CB31ED85CB91

Function 00C6255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C625D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C625E8
CreateCompatibleDC.GDI32(?), ref: 00C625F4
SelectObject.GDI32(00000000,?), ref: 00C62601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C6266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C626AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C626D0
SelectObject.GDI32(?,?), ref: 00C626D8
DeleteObject.GDI32(?), ref: 00C626E1
DeleteDC.GDI32(?), ref: 00C626E8
ReleaseDC.USER32(00000000,?), ref: 00C626F3

Strings

(, xrefs: 00C6268D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 84237eb5e202bdecb7a589f1556ff2f41df3365aef44248bf7a1ac59c0e4f1e8
Instruction ID: 8e6a58ea51b1c8c6fe40a47c21574ff5f6ef848fbd2562ce03cd6567dfc10ceb
Opcode Fuzzy Hash: 84237eb5e202bdecb7a589f1556ff2f41df3365aef44248bf7a1ac59c0e4f1e8
Instruction Fuzzy Hash: 4761D275D0061AEFCF14CFA8D884AAEBBB5FF48310F208529E95AA7250D774A941DF90

Function 00C1DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C1DAA1

Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D659
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D66B
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D67D
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D68F
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D6A1
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D6B3
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D6C5
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D6D7
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D6E9
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D6FB
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D70D
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D71F
Part of subcall function 00C1D63C: _free.LIBCMT ref: 00C1D731

_free.LIBCMT ref: 00C1DA96

Part of subcall function 00C129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000), ref: 00C129DE
Part of subcall function 00C129C8: GetLastError.KERNEL32(00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000,00000000), ref: 00C129F0

_free.LIBCMT ref: 00C1DAB8
_free.LIBCMT ref: 00C1DACD
_free.LIBCMT ref: 00C1DAD8
_free.LIBCMT ref: 00C1DAFA
_free.LIBCMT ref: 00C1DB0D
_free.LIBCMT ref: 00C1DB1B
_free.LIBCMT ref: 00C1DB26
_free.LIBCMT ref: 00C1DB5E
_free.LIBCMT ref: 00C1DB65
_free.LIBCMT ref: 00C1DB82
_free.LIBCMT ref: 00C1DB9A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 53fecb9fa736f54484fd26694992cc9ada226b9fb96547de2bb49c1b41ed423e
Instruction ID: 576b823d194342dfde67fad7995079383f47682d209a9e295595611b2dff9cce
Opcode Fuzzy Hash: 53fecb9fa736f54484fd26694992cc9ada226b9fb96547de2bb49c1b41ed423e
Instruction Fuzzy Hash: AF316D326047059FEB21AA39E845BDA77E8FF02320F114419F46ADB191DF34ADE0B720

Function 00C4365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C4369C
_wcslen.LIBCMT ref: 00C436A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C43797
GetClassNameW.USER32(?,?,00000400), ref: 00C4380C
GetDlgCtrlID.USER32(?), ref: 00C4385D
GetWindowRect.USER32(?,?), ref: 00C43882
GetParent.USER32(?), ref: 00C438A0
ScreenToClient.USER32(00000000), ref: 00C438A7
GetClassNameW.USER32(?,?,00000100), ref: 00C43921
GetWindowTextW.USER32(?,?,00000400), ref: 00C4395D

Strings

%s%u, xrefs: 00C43734

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 267cdadacc7e0981ffecd021a5c67f1593023e4c1761dfffefeee97d74302377
Instruction ID: b5f60784c760800fd1ff45734d7d4ed4911a66b9bf3d62072d836b228f7200a6
Opcode Fuzzy Hash: 267cdadacc7e0981ffecd021a5c67f1593023e4c1761dfffefeee97d74302377
Instruction Fuzzy Hash: 6491BF71204646AFD719DF24C885BAAF7E8FF94350F108629FAA9C2190DB30EB55CB91

Function 00C44954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C44994
GetWindowTextW.USER32(?,?,00000400), ref: 00C449DA
_wcslen.LIBCMT ref: 00C449EB
CharUpperBuffW.USER32(?,00000000), ref: 00C449F7
_wcsstr.LIBVCRUNTIME ref: 00C44A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C44A64
GetWindowTextW.USER32(?,?,00000400), ref: 00C44A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C44AE6
GetClassNameW.USER32(?,?,00000400), ref: 00C44B20
GetWindowRect.USER32(?,?), ref: 00C44B8B

Strings

ThumbnailClass, xrefs: 00C44A6F, 00C44AF1

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 5d6529b0867d2a28ba1606c6a9d3dd72618b3f451742d13978e3f5f369ea465d
Instruction ID: 5d74d85cc37a02692168383b1f3b55dda5e2f78e84b2c1d6cf2e8c2bbcae24c9
Opcode Fuzzy Hash: 5d6529b0867d2a28ba1606c6a9d3dd72618b3f451742d13978e3f5f369ea465d
Instruction Fuzzy Hash: E391C0710082069FDB08DF14C9C5FAA77E8FF84714F248469FD999A196DB30EE45CBA1

Function 00C4BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00CB1990,000000FF,00000000,00000030), ref: 00C4BFAC
SetMenuItemInfoW.USER32(00CB1990,00000004,00000000,00000030), ref: 00C4BFE1
Sleep.KERNEL32(000001F4), ref: 00C4BFF3
GetMenuItemCount.USER32(?), ref: 00C4C039
GetMenuItemID.USER32(?,00000000), ref: 00C4C056
GetMenuItemID.USER32(?,-00000001), ref: 00C4C082
GetMenuItemID.USER32(?,?), ref: 00C4C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C4C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C4C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C4C145

Strings

0, xrefs: 00C4BF3D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 31dcaa0f475451dc30022f726d3e9b63222109f1ccfa98b4c294729e5a914292
Instruction ID: 64af64ad3e7e5eac93f2a716f30adeddb8f9694c61e0746bc86e3a4b05200b29
Opcode Fuzzy Hash: 31dcaa0f475451dc30022f726d3e9b63222109f1ccfa98b4c294729e5a914292
Instruction Fuzzy Hash: ED619EB090124AAFEF51CF64CDC8BEE7BB8FB05354F040159E825A32A1D735AE45DB60

Function 00C6CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C6CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C6CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C6CD48

Part of subcall function 00C6CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C6CCAA
Part of subcall function 00C6CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C6CCBD
Part of subcall function 00C6CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C6CCCF
Part of subcall function 00C6CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C6CD05
Part of subcall function 00C6CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C6CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C6CCF3

Strings

advapi32.dll, xrefs: 00C6CCB8
RegDeleteKeyExW, xrefs: 00C6CCC9

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 4480ae1eee3e2dbf829556da7127c00bdf9a3068a481cb7d26b4e6dcf9417bcf
Instruction ID: a35b9e9a2320a94e88bbf7c95841a88a91786191676cda7e8eda8c8eb3728a84
Opcode Fuzzy Hash: 4480ae1eee3e2dbf829556da7127c00bdf9a3068a481cb7d26b4e6dcf9417bcf
Instruction Fuzzy Hash: 89315C71A01129BBDB309B55DCC8FFFBB7CEF46750F000169E95AE2240DB349A859AE0

Function 00C53D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C53D40
_wcslen.LIBCMT ref: 00C53D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C53D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C53DBE
RemoveDirectoryW.KERNEL32(?), ref: 00C53DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C53E55
CloseHandle.KERNEL32(00000000), ref: 00C53E60
CloseHandle.KERNEL32(00000000), ref: 00C53E6B

Strings

:, xrefs: 00C53D82
\, xrefs: 00C53D77
\??\%s, xrefs: 00C53D5B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: ab619d6950f6bcdf270fe31b57bc4a2e6184a731854d975e0ac2df2c85328acb
Instruction ID: df9b0e584f0d6f6f01151436f5ee7e7fe8e24080817fab32dfbb9d654f11963a
Opcode Fuzzy Hash: ab619d6950f6bcdf270fe31b57bc4a2e6184a731854d975e0ac2df2c85328acb
Instruction Fuzzy Hash: 5531A57651014AABDB219BA0DC89FEF37BCEF88741F1040B9F919D6061E77497888B24

Function 00C4E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C4E6B4

Part of subcall function 00BFE551: timeGetTime.WINMM(?,?,00C4E6D4), ref: 00BFE555

Sleep.KERNEL32(0000000A), ref: 00C4E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C4E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C4E727
SetActiveWindow.USER32 ref: 00C4E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C4E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C4E773
Sleep.KERNEL32(000000FA), ref: 00C4E77E
IsWindow.USER32 ref: 00C4E78A
EndDialog.USER32(00000000), ref: 00C4E79B

Strings

BUTTON, xrefs: 00C4E719

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2f839a104b272234f85dad8d096fab7292ec8d963ef81c83e2ca35df53ade1cd
Instruction ID: ec921cf886b0ea107fdad5db2308994a9a7e87285bab8fadac40f623356db315
Opcode Fuzzy Hash: 2f839a104b272234f85dad8d096fab7292ec8d963ef81c83e2ca35df53ade1cd
Instruction Fuzzy Hash: F621A2B0640606AFEB005F70ECCAF2E3B69F754399F161529F91AC21B1DB71AC409B24

Function 00C4E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C4EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C4EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C4EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C4EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C4EAA7

Strings

open , xrefs: 00C4EA0C
play PlayMe wait, xrefs: 00C4EA91
close PlayMe, xrefs: 00C4EA6E, 00C4EA9B
status PlayMe mode, xrefs: 00C4EA58
play PlayMe, xrefs: 00C4EAA2
alias PlayMe, xrefs: 00C4EA36

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: a5722002af5e5df5cbe32f4655613be1b66a65b06f1ec92efc9be86b1df0141c
Instruction ID: e75e6da5ac5d3a840037f269fcf9832b366b17a469f0deeea21e9c3ac63b7453
Opcode Fuzzy Hash: a5722002af5e5df5cbe32f4655613be1b66a65b06f1ec92efc9be86b1df0141c
Instruction Fuzzy Hash: CB112131A5026A79D720A7B2DC4AEFF6ABCFBD2F44F4504797811A20D1EFB05A45C5B0

Function 00C49F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C4A012
SetKeyboardState.USER32(?), ref: 00C4A07D
GetAsyncKeyState.USER32(000000A0), ref: 00C4A09D
GetKeyState.USER32(000000A0), ref: 00C4A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00C4A0E3
GetKeyState.USER32(000000A1), ref: 00C4A0F4
GetAsyncKeyState.USER32(00000011), ref: 00C4A120
GetKeyState.USER32(00000011), ref: 00C4A12E
GetAsyncKeyState.USER32(00000012), ref: 00C4A157
GetKeyState.USER32(00000012), ref: 00C4A165
GetAsyncKeyState.USER32(0000005B), ref: 00C4A18E
GetKeyState.USER32(0000005B), ref: 00C4A19C

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e80ca6a9ecd0dee398bb526a6e54881d5f4b3417fb158ff112ea58be5f182caa
Instruction ID: fd2af060b3f923d31a105702c01a2d2328b1f568ffe7b0071a8feab476adfce6
Opcode Fuzzy Hash: e80ca6a9ecd0dee398bb526a6e54881d5f4b3417fb158ff112ea58be5f182caa
Instruction Fuzzy Hash: 1351FA309447986AFB35DBA088507EFBFB5BF12380F08459DD5D2571C2DA64AB8CC762

Function 00C45CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C45CE2
GetWindowRect.USER32(00000000,?), ref: 00C45CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C45D59
GetDlgItem.USER32(?,00000002), ref: 00C45D69
GetWindowRect.USER32(00000000,?), ref: 00C45D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C45DCF
GetDlgItem.USER32(?,000003E9), ref: 00C45DDD
GetWindowRect.USER32(00000000,?), ref: 00C45DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C45E31
GetDlgItem.USER32(?,000003EA), ref: 00C45E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C45E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C45E67

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f4967614e750084bb2fbf88bc64e7069d841d76c14f55e9479a9cfb1aafcf7f4
Instruction ID: f4539f1f30f70162f436b44f656efe42e846d2b23adaa438f55d43312499784e
Opcode Fuzzy Hash: f4967614e750084bb2fbf88bc64e7069d841d76c14f55e9479a9cfb1aafcf7f4
Instruction Fuzzy Hash: C051FDB1A00616AFDB18CF68DD89BAEBBB5FF48300F548129F919E6291D7709E44CB50

Function 00BF8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BF8BE8,?,00000000,?,?,?,?,00BF8BBA,00000000,?), ref: 00BF8FC5

DestroyWindow.USER32(?), ref: 00BF8C81
KillTimer.USER32(00000000,?,?,?,?,00BF8BBA,00000000,?), ref: 00BF8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C36973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00BF8BBA,00000000,?), ref: 00C369A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00BF8BBA,00000000,?), ref: 00C369B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00BF8BBA,00000000), ref: 00C369D4
DeleteObject.GDI32(00000000), ref: 00C369E6

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 71c44438e95ace4c1f4543c6430331a4270fd44ccef031756dfbbbf1ce36f052
Instruction ID: 10c4bea1942d15118c07b93bea38272f2306924e62e04128eebb04a774005942
Opcode Fuzzy Hash: 71c44438e95ace4c1f4543c6430331a4270fd44ccef031756dfbbbf1ce36f052
Instruction Fuzzy Hash: 6261CC30412708EFCB259F14D998B3977F1FB40312F18866CE6569B9A0CB31AA94DF90

Function 00BF9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00BF9944: GetWindowLongW.USER32(?,000000EB), ref: 00BF9952

GetSysColor.USER32(0000000F), ref: 00BF9862

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 80e537e1ff8f6f213920129cc220b28b3ac1b16e20c7f0d5c6a2a692c65f90f4
Instruction ID: 8744789309d89f434ea5f1d79cc5223475ef88dbca925345b12123d4ce265c9f
Opcode Fuzzy Hash: 80e537e1ff8f6f213920129cc220b28b3ac1b16e20c7f0d5c6a2a692c65f90f4
Instruction Fuzzy Hash: 6A41AD31104648AFDB305F389C88BBD3BA5EB463B0F544699FAB68B1E1C7719D86DB10

Function 00C496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C2F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C49717
LoadStringW.USER32(00000000,?,00C2F7F8,00000001), ref: 00C49720

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C2F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C49742
LoadStringW.USER32(00000000,?,00C2F7F8,00000001), ref: 00C49745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C49866

Strings

Line %d (File "%s"):, xrefs: 00C4978F
Error: , xrefs: 00C4981D
^ ERROR, xrefs: 00C497FB
Line %d:, xrefs: 00C497A0
%s (%d) : ==> %s: %s %s, xrefs: 00C4984A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: bc0a66edf8bf41a4084392d4b06a9004c2eca50df988e0c674861c9c8003c478
Instruction ID: c329c1186419736c986fef0653114564a4b8f80d31c318c50a7635f48f41d802
Opcode Fuzzy Hash: bc0a66edf8bf41a4084392d4b06a9004c2eca50df988e0c674861c9c8003c478
Instruction Fuzzy Hash: 83415172800259AACF14FBE1CD86EEE77B8EF55740F6400A5F60572092EB356F49CB61

Function 00C406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE6B57: _wcslen.LIBCMT ref: 00BE6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C407A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C407BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C407DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C40804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C4082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C40837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C4083C

Strings

SOFTWARE\Classes\, xrefs: 00C4070E
\CLSID, xrefs: 00C40724
\IPC$, xrefs: 00C40784

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 0754d288792f798c72b54aca9d03ddeb809a9d0b9a501a5494e84a9728ff4f5b
Instruction ID: 079b1c69be856c95499699a1536592524c93dbf0129b844ad809ce49cb1a3a84
Opcode Fuzzy Hash: 0754d288792f798c72b54aca9d03ddeb809a9d0b9a501a5494e84a9728ff4f5b
Instruction Fuzzy Hash: F6413B72C10229ABCF11EFA4DC85DEEB7B8FF44750F144169E915A71A1EB30AE44CBA0

Function 00C73F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C7403B
CreateCompatibleDC.GDI32(00000000), ref: 00C74042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C74055
SelectObject.GDI32(00000000,00000000), ref: 00C7405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C74068
DeleteDC.GDI32(00000000), ref: 00C74072
GetWindowLongW.USER32(?,000000EC), ref: 00C7407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00C74092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00C7409E

Strings

static, xrefs: 00C73FD3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: ee78f95478f5b9e599829477f88ba1926bc8036008320200e556b9b26025ca74
Instruction ID: fa5e2dd04dee76e876092ce6bd4a2b7e1b0091cb450f4c7e56dbf41488a9c447
Opcode Fuzzy Hash: ee78f95478f5b9e599829477f88ba1926bc8036008320200e556b9b26025ca74
Instruction Fuzzy Hash: D2316C32501216ABDF219FA4DC89FDE3BA8FF0D760F114215FA29A61A0C775D950DB90

Function 00C63C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C63C5C
CoInitialize.OLE32(00000000), ref: 00C63C8A
CoUninitialize.OLE32 ref: 00C63C94
_wcslen.LIBCMT ref: 00C63D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00C63DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C63ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C63F0E
CoGetObject.OLE32(?,00000000,00C7FB98,?), ref: 00C63F2D
SetErrorMode.KERNEL32(00000000), ref: 00C63F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C63FC4
VariantClear.OLEAUT32(?), ref: 00C63FD8

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: c3022a433f57fe6fc0337e75593c4cb9274f58a256e0aa21361e834a800a48b2
Instruction ID: 9b4b8c0fb7c69c56f08f7dbbee9f3133f19be21102dd0223c619cbe2de7da5dc
Opcode Fuzzy Hash: c3022a433f57fe6fc0337e75593c4cb9274f58a256e0aa21361e834a800a48b2
Instruction Fuzzy Hash: 04C14371608241AFC710DF69C8C492BBBE9FF89744F10495DF98A9B250DB31EE45CB62

Function 00C57A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C57AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C57B8F
SHGetDesktopFolder.SHELL32(?), ref: 00C57BA3
CoCreateInstance.OLE32(00C7FD08,00000000,00000001,00CA6E6C,?), ref: 00C57BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C57C74
CoTaskMemFree.OLE32(?,?), ref: 00C57CCC
SHBrowseForFolderW.SHELL32(?), ref: 00C57D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C57D7A
CoTaskMemFree.OLE32(00000000), ref: 00C57D81
CoTaskMemFree.OLE32(00000000), ref: 00C57DD6
CoUninitialize.OLE32 ref: 00C57DDC

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4a4ae47032ec7b31027688712f233f4150e0bed1cea51c4cfad9509676556432
Instruction ID: f1efb2038e7b7a96a3b5d38ff62edc9a162453ec402a095b8d4e428beacadf5f
Opcode Fuzzy Hash: 4a4ae47032ec7b31027688712f233f4150e0bed1cea51c4cfad9509676556432
Instruction Fuzzy Hash: AAC12C75A04109AFCB14DFA4D888DAEBBF9FF48305B148598F8199B361D730EE85CB90

Function 00C7541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C75504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C75515
CharNextW.USER32(00000158), ref: 00C75544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C75585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C7559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C755AC

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 6335ecb0308ffa3105b3e16d96ed351684ecf918d808bb219ee3c014ef6339eb
Instruction ID: 7c34bb2b1f39062136d870c7be004a2bd1577f751cbc886dff9e398ef7563672
Opcode Fuzzy Hash: 6335ecb0308ffa3105b3e16d96ed351684ecf918d808bb219ee3c014ef6339eb
Instruction Fuzzy Hash: 85617E70904609EFDF109F95CC85AFE7BB9EB09760F10C149FA29A7290D7B49A81DB60

Function 00C3FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C3FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C3FB08
VariantInit.OLEAUT32(?), ref: 00C3FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C3FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C3FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C3FBA1
VariantClear.OLEAUT32(?), ref: 00C3FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C3FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C3FBCC
VariantClear.OLEAUT32(?), ref: 00C3FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C3FBE9

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5b1e600d6c252e099bcbd9a694332d9d4c584d425ecec0f1c5d23cc029bb23d0
Instruction ID: 1733b21800395f014d36eef0e5ce9eb48ef7262c0fcf8fd7f6d27637c3d742e5
Opcode Fuzzy Hash: 5b1e600d6c252e099bcbd9a694332d9d4c584d425ecec0f1c5d23cc029bb23d0
Instruction Fuzzy Hash: A9414275E102199FCB00DF64D898ABEBBB9EF48344F008469E959A7261D734AA46CF90

Function 00C49C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C49CA1
GetAsyncKeyState.USER32(000000A0), ref: 00C49D22
GetKeyState.USER32(000000A0), ref: 00C49D3D
GetAsyncKeyState.USER32(000000A1), ref: 00C49D57
GetKeyState.USER32(000000A1), ref: 00C49D6C
GetAsyncKeyState.USER32(00000011), ref: 00C49D84
GetKeyState.USER32(00000011), ref: 00C49D96
GetAsyncKeyState.USER32(00000012), ref: 00C49DAE
GetKeyState.USER32(00000012), ref: 00C49DC0
GetAsyncKeyState.USER32(0000005B), ref: 00C49DD8
GetKeyState.USER32(0000005B), ref: 00C49DEA

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b875b26966ce653a0fa4532db0c71ce472a3fbfc6896c0b277a3982adb50cbe3
Instruction ID: 8ae20c0dcdc209ffe54ca4f9bc6b85df6b66f27e196ae22033238354c492063a
Opcode Fuzzy Hash: b875b26966ce653a0fa4532db0c71ce472a3fbfc6896c0b277a3982adb50cbe3
Instruction Fuzzy Hash: 7D41D5349047EA6DFF308A6488447B7BEA0FB11344F04805EDAD6565C2DBB59BC8C7A2

Function 00C6055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C605BC
inet_addr.WSOCK32(?), ref: 00C6061C
gethostbyname.WSOCK32(?), ref: 00C60628
IcmpCreateFile.IPHLPAPI ref: 00C60636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C606C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C606E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00C607B9
WSACleanup.WSOCK32 ref: 00C607BF

Strings

Ping, xrefs: 00C60676

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 79ec0e0d149b67a790ad292530fb157a018c493f9fdd3ee3981e2533a40285db
Instruction ID: 66d3eb8021fdac66a8dd881447cf20b2694b5de08a49c98e62abdd7e7f1845b2
Opcode Fuzzy Hash: 79ec0e0d149b67a790ad292530fb157a018c493f9fdd3ee3981e2533a40285db
Instruction Fuzzy Hash: 63917C756082419FD720DF15D8C9F1BBBE0AF44318F2485A9F46AAB6A2C730ED85CF91

Function 00C68CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00C68CF3

Part of subcall function 00C48E54: _wcslen.LIBCMT ref: 00C48E77

_wcslen.LIBCMT ref: 00C68D4E
_wcslen.LIBCMT ref: 00C68D9C
_wcslen.LIBCMT ref: 00C68DDC
_wcslen.LIBCMT ref: 00C68E6E

Strings

winapi, xrefs: 00C68D96, 00C68D9B
stdcall, xrefs: 00C68DD6, 00C68DDB
cdecl, xrefs: 00C68D48, 00C68D4D
none, xrefs: 00C68E65, 00C68E6A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 805b176f3bf27aa8e35d2d89f3038238718aa504be8cde3fcc792c313f30f5a2
Instruction ID: da43f3b4bd5de26cd5c6184737b33e19423357665dfff2050beb5b70b474f230
Opcode Fuzzy Hash: 805b176f3bf27aa8e35d2d89f3038238718aa504be8cde3fcc792c313f30f5a2
Instruction Fuzzy Hash: D051BF75A001179BCF24DF68C8909BEB3E5BF65724B204329E926E72C0DB31DE48C790

Function 00C6372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00C63774
CoUninitialize.OLE32 ref: 00C6377F
CoCreateInstance.OLE32(?,00000000,00000017,00C7FB78,?), ref: 00C637D9
IIDFromString.OLE32(?,?), ref: 00C6384C
VariantInit.OLEAUT32(?), ref: 00C638E4
VariantClear.OLEAUT32(?), ref: 00C63936

Strings

NULL Pointer assignment, xrefs: 00C6381E
Failed to create object, xrefs: 00C637E4, 00C6389A
Invalid parameter, xrefs: 00C63865

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1d2bce6901b1eadea08dffb82069eeabce9e2f7ebf9d2a29a5a38db21433eaba
Instruction ID: 6576fffded3d3df7bc9e59b0d1e276a2c893a380faca0231e64846f1c4ebc1e4
Opcode Fuzzy Hash: 1d2bce6901b1eadea08dffb82069eeabce9e2f7ebf9d2a29a5a38db21433eaba
Instruction Fuzzy Hash: 7561A3706083419FD320DF65C889BAAB7E4EF49714F10095EF9959B291D770EE48CB92

Function 00C53388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C533CF

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C533F0

Strings

^ ERROR , xrefs: 00C5349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00C53504
Line %d (File "%s"):, xrefs: 00C53443, 00C5345C
Error: , xrefs: 00C534D1
"%s" (%d) : ==> %s:, xrefs: 00C53522
Incorrect parameters to object property !, xrefs: 00C534AB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 177bfb4452b58cc4138f321d45e7fb104145472def4f0f8b37657f78ab9ab8ca
Instruction ID: e01b95c734aafa7b9fabc76f4889f5e3447a1c0fef0df20bc127af0665d28d66
Opcode Fuzzy Hash: 177bfb4452b58cc4138f321d45e7fb104145472def4f0f8b37657f78ab9ab8ca
Instruction Fuzzy Hash: 8D51B13190024AAADF15EBE1CD46EEEB7F8EF14740F6441A5F90572062EB312F98DB60

Function 00C4B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C4B5FC
_wcslen.LIBCMT ref: 00C4B608
_wcslen.LIBCMT ref: 00C4B64D
_wcslen.LIBCMT ref: 00C4B68C
_wcslen.LIBCMT ref: 00C4B6C7

Strings

REMOVE, xrefs: 00C4B602, 00C4B607
EXISTS, xrefs: 00C4B686, 00C4B68B
KEYS, xrefs: 00C4B647, 00C4B64C
APPEND, xrefs: 00C4B6C1, 00C4B6C6

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e6ac6354099e8db8793e4c3f2ccfb2b2930ddb5571d356d06f103007d0585e53
Instruction ID: 30ddebf781b5dbb85c3d24e9948bc05d2b12a2be0296e701e33776487fc71786
Opcode Fuzzy Hash: e6ac6354099e8db8793e4c3f2ccfb2b2930ddb5571d356d06f103007d0585e53
Instruction Fuzzy Hash: 7D41E532A000279ACB249F7DC8905FEB7B5BFA1758B264129F935DB284E731CE81C790

Function 00C55393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C553A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C55416
GetLastError.KERNEL32 ref: 00C55420
SetErrorMode.KERNEL32(00000000,READY), ref: 00C554A7

Strings

INVALID, xrefs: 00C55459
READY, xrefs: 00C55460, 00C55468
READONLY, xrefs: 00C55452
UNKNOWN, xrefs: 00C55444
NOTREADY, xrefs: 00C5544B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 429b20b579d54585a7bb6e3358be21f9141b0cb121e64a9828802e311891d3b5
Instruction ID: e7e384585c9476487a0867483baefa483fd77e61f2381b7ac6f57f4e048ff557
Opcode Fuzzy Hash: 429b20b579d54585a7bb6e3358be21f9141b0cb121e64a9828802e311891d3b5
Instruction Fuzzy Hash: 0F31A279A005059FDB10DF69C494BAD7BF4EF0530AF188069E815CB292D731DECACB90

Function 00C73C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00C73C79
SetMenu.USER32(?,00000000), ref: 00C73C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C73D10
IsMenu.USER32(?), ref: 00C73D24
CreatePopupMenu.USER32 ref: 00C73D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C73D5B
DrawMenuBar.USER32 ref: 00C73D63

Strings

0, xrefs: 00C73C54
F, xrefs: 00C73D4E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 7f58d84ddc75dab347d83c20de89c42e7f8940165d7552898bfbb66e1f7fccd5
Instruction ID: a9f26a2b18e8125892e64363e24f3d85256f3a99d0b7e5b1dadc337c17f62421
Opcode Fuzzy Hash: 7f58d84ddc75dab347d83c20de89c42e7f8940165d7552898bfbb66e1f7fccd5
Instruction Fuzzy Hash: 60418C74A0120AAFDB24CF64D888B9E7BB5FF49350F14402CE95AA7360D771AA10DB90

Function 00C41EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C43CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C41F64
GetDlgCtrlID.USER32 ref: 00C41F6F
GetParent.USER32 ref: 00C41F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C41F8E
GetDlgCtrlID.USER32(?), ref: 00C41F97
GetParent.USER32(?), ref: 00C41FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C41FAE

Strings

ComboBox, xrefs: 00C41EEC
ListBox, xrefs: 00C41F21

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 76cccec2da7e996954c6347421a643c13866298f4e9b6600df9b1e2550c339a5
Instruction ID: d5848a62fb8c903eda199115b50f3432f90692225f20a2773981a66c223bf7d0
Opcode Fuzzy Hash: 76cccec2da7e996954c6347421a643c13866298f4e9b6600df9b1e2550c339a5
Instruction Fuzzy Hash: 3521BE70900214BBDF04AFA1DCC5AEEBBB8FF06350B104159B9A5A72A1DB355A899B60

Function 00C41FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C43CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C42043
GetDlgCtrlID.USER32 ref: 00C4204E
GetParent.USER32 ref: 00C4206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C4206D
GetDlgCtrlID.USER32(?), ref: 00C42076
GetParent.USER32(?), ref: 00C4208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C4208D

Strings

ComboBox, xrefs: 00C41FCD
ListBox, xrefs: 00C42002

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b710fd33f71a629366190ef402d63bdad1fa0dd282fa1c887c5981dd4347ee3e
Instruction ID: dc1ddfce09fc550fc85c9f622cf32d13bd8fb836aa3dbd034f17e3fcb0d19ebc
Opcode Fuzzy Hash: b710fd33f71a629366190ef402d63bdad1fa0dd282fa1c887c5981dd4347ee3e
Instruction Fuzzy Hash: 4B21BE71900214BBCB10AFA0DCC5BEEBBB8FB05340F104459B955A72A1DB758958DB60

Function 00C73A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C73A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C73AA0
GetWindowLongW.USER32(?,000000F0), ref: 00C73AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C73AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C73B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C73BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C73BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C73BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C73BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C73C13

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a6a97e11bb7b397c6c1bbf94fd024bbec81336b945b9568659f3545c29ec96f6
Instruction ID: f0248e1bb406eb559be882a0424daada7ac17a6b0984eeefcee9640c315d8914
Opcode Fuzzy Hash: a6a97e11bb7b397c6c1bbf94fd024bbec81336b945b9568659f3545c29ec96f6
Instruction Fuzzy Hash: 55617B75900288AFDB11DFA8CC81FEE77F8EB09710F144199FA19A72A1D770AE41EB50

Function 00C4B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C4B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C4A1E1,?,00000001), ref: 00C4B165
GetWindowThreadProcessId.USER32(00000000), ref: 00C4B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C4A1E1,?,00000001), ref: 00C4B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C4A1E1,?,00000001), ref: 00C4B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C4A1E1,?,00000001), ref: 00C4B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C4A1E1,?,00000001), ref: 00C4B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C4A1E1,?,00000001), ref: 00C4B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C4A1E1,?,00000001), ref: 00C4B21D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 59dfc8d5bb6a2d1933a21ed2af85002a29b5cd14ed941cfbef54e541dfb7c97f
Instruction ID: 8051984b16a18f2e9527d5fb36dee1bd2994044e86af5fa3daf3f15a085b2e66
Opcode Fuzzy Hash: 59dfc8d5bb6a2d1933a21ed2af85002a29b5cd14ed941cfbef54e541dfb7c97f
Instruction Fuzzy Hash: D1318B75540209BFDB20AF64EC98BAE7BADBF51311F104119FA29D6190D7B8DE808F60

Function 00C12C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C12C94

Part of subcall function 00C129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000), ref: 00C129DE
Part of subcall function 00C129C8: GetLastError.KERNEL32(00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000,00000000), ref: 00C129F0

_free.LIBCMT ref: 00C12CA0
_free.LIBCMT ref: 00C12CAB
_free.LIBCMT ref: 00C12CB6
_free.LIBCMT ref: 00C12CC1
_free.LIBCMT ref: 00C12CCC
_free.LIBCMT ref: 00C12CD7
_free.LIBCMT ref: 00C12CE2
_free.LIBCMT ref: 00C12CED
_free.LIBCMT ref: 00C12CFB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4c0e586c978e3b6bf74d57f3f1907b529b32149ddf5c616a8a41cf400bfba400
Instruction ID: 4c9b611f93b7a807d6a5a116c26d2198b51f80b88023efd88ab111ca6ea01e4b
Opcode Fuzzy Hash: 4c0e586c978e3b6bf74d57f3f1907b529b32149ddf5c616a8a41cf400bfba400
Instruction Fuzzy Hash: 8B11477A510108AFCB02EF58D942CDD3BA5FF06360F5145A5FA495F222D631EEB0BB90

Function 00C57DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C57FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C57FC1
GetFileAttributesW.KERNEL32(?), ref: 00C57FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C58005
SetCurrentDirectoryW.KERNEL32(?), ref: 00C58017
SetCurrentDirectoryW.KERNEL32(?), ref: 00C58060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C580B0

Strings

*.*, xrefs: 00C58066

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 983b63ecd545cd02ce9f338e0f0d718c096c4f0e18125a8e32ce324abe556f44
Instruction ID: 5a2c4233c6c6bb664dca4bfa7146dc6ceefd382fa2816c63d2aad39a8bb2aa4e
Opcode Fuzzy Hash: 983b63ecd545cd02ce9f338e0f0d718c096c4f0e18125a8e32ce324abe556f44
Instruction Fuzzy Hash: 2E81DE755083419FCB20EE15C881AAEB3E8AB88311F14495EFC99D7250EB74DECD8B96

Function 00BE5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00BE5C7A

Part of subcall function 00BE5D0A: GetClientRect.USER32(?,?), ref: 00BE5D30
Part of subcall function 00BE5D0A: GetWindowRect.USER32(?,?), ref: 00BE5D71
Part of subcall function 00BE5D0A: ScreenToClient.USER32(?,?), ref: 00BE5D99

GetDC.USER32 ref: 00C246F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C24708
SelectObject.GDI32(00000000,00000000), ref: 00C24716
SelectObject.GDI32(00000000,00000000), ref: 00C2472B
ReleaseDC.USER32(?,00000000), ref: 00C24733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C247C4

Strings

U, xrefs: 00C24693

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5e11ece0e35d633eb47e00fac6546a5eba78053d576482253086b7b6bc697ede
Instruction ID: 63d15af2aa0c6a2c7c34ccbe12e2361f7f22e93e8c237dc6b044fdb4463a6568
Opcode Fuzzy Hash: 5e11ece0e35d633eb47e00fac6546a5eba78053d576482253086b7b6bc697ede
Instruction Fuzzy Hash: C6710F30500205DFCF298F64D984ABE3BB1FF4A324F2842A9FD665A2A6C3319981DF50

Function 00C5359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C535E4

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

LoadStringW.USER32(00CB2390,?,00000FFF,?), ref: 00C5360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C53724
Line %d (File "%s"):, xrefs: 00C5366B
Error: , xrefs: 00C536EF
^ ERROR, xrefs: 00C536C9
"%s" (%d) : ==> %s:, xrefs: 00C53742

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: d76ba2139ab05a71506d890505e8a10ae95ed132825714c509302bcc7ad17aaa
Instruction ID: 9aca0757e011f3ae5a3f686c8cbb8c4563669d1fdca419ceec7b70f538c4e893
Opcode Fuzzy Hash: d76ba2139ab05a71506d890505e8a10ae95ed132825714c509302bcc7ad17aaa
Instruction Fuzzy Hash: C1518F71C0028AABCF15EBA1CC42EEEBBB8EF14381F584165F505721A1EB301BD9DB64

Function 00C5C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C5C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C5C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C5C2CA
GetLastError.KERNEL32 ref: 00C5C322
SetEvent.KERNEL32(?), ref: 00C5C336
InternetCloseHandle.WININET(00000000), ref: 00C5C341

Strings

, xrefs: 00C5C2BB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2851cf2a2620d468978266dc52febff02c445d626807e838679b163764d18f93
Instruction ID: 81a0dc7d3cd46d18c56d9382ea912417be3d611a19130f7da04063e8d3dcef77
Opcode Fuzzy Hash: 2851cf2a2620d468978266dc52febff02c445d626807e838679b163764d18f93
Instruction Fuzzy Hash: CD318DB5500308AFD7219F658CC8BAF7AFCEB49741F10851DF85AD2210DB34DD889B64

Function 00C4989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C23AAF,?,?,Bad directive syntax error,00C7CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C498BC
LoadStringW.USER32(00000000,?,00C23AAF,?), ref: 00C498C3

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C49987

Strings

Line %d (File "%s"):, xrefs: 00C4992D
., xrefs: 00C4996D
Line %d:, xrefs: 00C49912
Error: , xrefs: 00C49955
%s (%d) : ==> %s.: %s %s, xrefs: 00C498F1

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d509bf8e2a7d777b522a6e9c887e127f89ea9b59509c5ddfce58e37ee99d8708
Instruction ID: 2731ddb15a0d565ce0ae7ada245fcaa6db2eb50767aa04820ece3aea0f2a5f9a
Opcode Fuzzy Hash: d509bf8e2a7d777b522a6e9c887e127f89ea9b59509c5ddfce58e37ee99d8708
Instruction Fuzzy Hash: 3A21913180025EEBCF15EF90CC4AEEE77B5FF18704F0844A9F519660A2EB719A58DB20

Function 00C4209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C420AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C420C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C4214D

Strings

largeicons, xrefs: 00C420E1
SHELLDLL_DefView, xrefs: 00C420CC
list, xrefs: 00C4212F
details, xrefs: 00C420FB
smallicons, xrefs: 00C42115

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: f8b888dee3e6feb94cb289e8f3c415fa1987db9ef8b900a02438cb162a1e8a9c
Instruction ID: 49dac21fb24b0de678f926c74e47aa32e87ab9ad028ee957a8dff61d68a52cf8
Opcode Fuzzy Hash: f8b888dee3e6feb94cb289e8f3c415fa1987db9ef8b900a02438cb162a1e8a9c
Instruction Fuzzy Hash: 7E112C76688707BAF7053225EC07EEF379CEF05725B60402AF705A50D1FE655D416624

Function 00C18D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318f7b4eeb4bc9e020ad66919c3f3677a8151efbf9cf466b72c66df2a5eb407e
Instruction ID: f2490b25de28689caae62feb649c8bfa12e28b42cc0be75fbf672b7a2674ee8a
Opcode Fuzzy Hash: 318f7b4eeb4bc9e020ad66919c3f3677a8151efbf9cf466b72c66df2a5eb407e
Instruction Fuzzy Hash: 47C1C474A042499FDF21DFA8D851BEDBBB0AF0E310F144199E425A7392C7349AC2EB61

Function 00C1CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C1CEB7
_free.LIBCMT ref: 00C1CF22
_free.LIBCMT ref: 00C1CF48
_free.LIBCMT ref: 00C1CF71
_free.LIBCMT ref: 00C1CFA9
_free.LIBCMT ref: 00C1CFDA
_free.LIBCMT ref: 00C1D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C1D09C
_free.LIBCMT ref: 00C1D0B5

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 5e62db8da1a8a26e07900b00b0aa10b72d56b3f9524352218300f44eaa09bbfe
Instruction ID: 6349fed8b4186d10f160e4f646126b5bf3521415551969e642a919997ae0b9c4
Opcode Fuzzy Hash: 5e62db8da1a8a26e07900b00b0aa10b72d56b3f9524352218300f44eaa09bbfe
Instruction Fuzzy Hash: 1E611571A44300AFDB21AFF498C1BEE7BA5AF07320F14426DF95597281D6319AC2F790

Function 00C750D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00C75186
ShowWindow.USER32(?,00000000), ref: 00C751C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00C751CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00C751D1

Part of subcall function 00C76FBA: DeleteObject.GDI32(00000000), ref: 00C76FE6

GetWindowLongW.USER32(?,000000F0), ref: 00C7520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C7521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C7524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00C75287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00C75296

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: a27df89d8886ff862f8232194e0ce7d136bc4ecf5c3d086cb84f86fe44ede097
Instruction ID: 8cc73d71e0af2bf39b5ca0499658cf1b1ac799cc63d9533d6dee8ce62456a862
Opcode Fuzzy Hash: a27df89d8886ff862f8232194e0ce7d136bc4ecf5c3d086cb84f86fe44ede097
Instruction Fuzzy Hash: 47518230A40A09BFEF249F25CC49BDD3BA5FB05362F54C115FA2D962E1C7B5AA90DB40

Function 00BF8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C36890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C368A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C368B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C368D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C368F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BF8874,00000000,00000000,00000000,000000FF,00000000), ref: 00C36901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C3691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BF8874,00000000,00000000,00000000,000000FF,00000000), ref: 00C3692D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 380e1facffca45cb1603a36b82344eb9b01fd072bd43fdedcb3b9518485d4677
Instruction ID: 1157ae548cb27c6fa66fa3cb9bdf24f04f24a1585561bb0d3ed1803d790d1634
Opcode Fuzzy Hash: 380e1facffca45cb1603a36b82344eb9b01fd072bd43fdedcb3b9518485d4677
Instruction Fuzzy Hash: 5A517870A00209AFDB20CF25CC95BAA7BF5FB48760F104558FA56972A0DB71EA94DB50

Function 00C5C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C5C182
GetLastError.KERNEL32 ref: 00C5C195
SetEvent.KERNEL32(?), ref: 00C5C1A9

Part of subcall function 00C5C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C5C272
Part of subcall function 00C5C253: GetLastError.KERNEL32 ref: 00C5C322
Part of subcall function 00C5C253: SetEvent.KERNEL32(?), ref: 00C5C336
Part of subcall function 00C5C253: InternetCloseHandle.WININET(00000000), ref: 00C5C341

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8ec0e7e42df509f6448a236aeceebfc774d6f137b871f59124f3c8b050395f37
Instruction ID: 2449406cb9f6f3d2a2ff7ae063104ffac56e76d5d4ba50b5c709b654c1ae28f4
Opcode Fuzzy Hash: 8ec0e7e42df509f6448a236aeceebfc774d6f137b871f59124f3c8b050395f37
Instruction Fuzzy Hash: 9A317E79100701AFDB259FA5DC84B6BBBE9FF18302F00441DF96A86611DB30E9989BA4

Function 00C425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C43A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C43A57
Part of subcall function 00C43A3D: GetCurrentThreadId.KERNEL32 ref: 00C43A5E
Part of subcall function 00C43A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C425B3), ref: 00C43A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C425BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C425DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C425DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C425E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C42601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C42605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C4260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C42623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C42627

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 26358d320fc22cbe3b0054a5cb4902b19f19186bdb4e35bf65dbdd97870a0148
Instruction ID: d7982d046d3b420e65f0bce4fe848433aa83c2140cad11630cb80a9058641d11
Opcode Fuzzy Hash: 26358d320fc22cbe3b0054a5cb4902b19f19186bdb4e35bf65dbdd97870a0148
Instruction Fuzzy Hash: 8601D430390610BBFB2067699CCAF5D3F59EF8EB22F500019F318AE0D1C9E22484DA69

Function 00C41803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C41449,?,?,00000000), ref: 00C4180C
HeapAlloc.KERNEL32(00000000,?,00C41449,?,?,00000000), ref: 00C41813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C41449,?,?,00000000), ref: 00C41828
GetCurrentProcess.KERNEL32(?,00000000,?,00C41449,?,?,00000000), ref: 00C41830
DuplicateHandle.KERNEL32(00000000,?,00C41449,?,?,00000000), ref: 00C41833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C41449,?,?,00000000), ref: 00C41843
GetCurrentProcess.KERNEL32(00C41449,00000000,?,00C41449,?,?,00000000), ref: 00C4184B
DuplicateHandle.KERNEL32(00000000,?,00C41449,?,?,00000000), ref: 00C4184E
CreateThread.KERNEL32(00000000,00000000,00C41874,00000000,00000000,00000000), ref: 00C41868

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: dffed33b2f3bc96a54378d8693ec961f7a3b9447172d2b59fb0a83734d118f0f
Instruction ID: e838d5e88bce3c82335bd9fd9e20e67c5a1d50eb75f461ee15c226c2bb06ed2e
Opcode Fuzzy Hash: dffed33b2f3bc96a54378d8693ec961f7a3b9447172d2b59fb0a83734d118f0f
Instruction Fuzzy Hash: FC01BBB5640309BFE710ABB5DC8DF6F3BACEB89B11F414425FA09DB1A1CA709850CB20

Function 00C6A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C4D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C4D501
Part of subcall function 00C4D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C4D50F
Part of subcall function 00C4D4DC: CloseHandle.KERNELBASE(00000000), ref: 00C4D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C6A16D
GetLastError.KERNEL32 ref: 00C6A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C6A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C6A268
GetLastError.KERNEL32(00000000), ref: 00C6A273
CloseHandle.KERNEL32(00000000), ref: 00C6A2C4

Strings

SeDebugPrivilege, xrefs: 00C6A18F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 754b246347fbf203cf77a1be2f96edb05ec49b390b6e948c0285db26101fdb6a
Instruction ID: 7f164f569af676504c732468704c34e480be52743caf91af1c682dce0ced78b3
Opcode Fuzzy Hash: 754b246347fbf203cf77a1be2f96edb05ec49b390b6e948c0285db26101fdb6a
Instruction Fuzzy Hash: 59618E702042429FD720DF19C4D4F1ABBE1AF54318F54849CE46A9B7A3C772ED89CB92

Function 00C73886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C73925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C7393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C73954
_wcslen.LIBCMT ref: 00C73999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C739C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C739F4

Strings

SysListView32, xrefs: 00C738F7

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0da12f98bf7239c223464f6db63b40a58b8cb662175e1985650ae732fbb9b539
Instruction ID: 157c679d9866f67f5a50f5c980c063fd814d4d109bcda20d7e37639eede0104c
Opcode Fuzzy Hash: 0da12f98bf7239c223464f6db63b40a58b8cb662175e1985650ae732fbb9b539
Instruction Fuzzy Hash: D041A371A00259ABDF219F64CC89BEE7BA9FF08354F10452AF958E72C1D7719A80DB90

Function 00C4BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C4BCFD
IsMenu.USER32(00000000), ref: 00C4BD1D
CreatePopupMenu.USER32 ref: 00C4BD53
GetMenuItemCount.USER32(01116928), ref: 00C4BDA4
InsertMenuItemW.USER32(01116928,?,00000001,00000030), ref: 00C4BDCC

Strings

0, xrefs: 00C4BCA8
2, xrefs: 00C4BD37

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 5c6500747f7506e12e3e67c9170d24199ff977aaa0b8adc8b65b4cc8f603acaa
Instruction ID: ba9c9f5724250da0b604b1acda2951d61fc1cd6dfc973474917457737ef58f0a
Opcode Fuzzy Hash: 5c6500747f7506e12e3e67c9170d24199ff977aaa0b8adc8b65b4cc8f603acaa
Instruction Fuzzy Hash: E151AD70E002059BDF20CFA9D8C4BAEBBF8BF55314F144199E42597298D770EE45CB61

Function 00C4C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C4C913

Strings

warning, xrefs: 00C4C8FC
blank, xrefs: 00C4C895
info, xrefs: 00C4C8B4
question, xrefs: 00C4C8CC
stop, xrefs: 00C4C8E4

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 344c8cf5aa194c6dea0864443e2379d94f9d2c13a2dab5aeab02ae4165d698a0
Instruction ID: a589e6ef41d989b0c139364fcd1782d22c7976550a8f1dcbf160f00f636f6449
Opcode Fuzzy Hash: 344c8cf5aa194c6dea0864443e2379d94f9d2c13a2dab5aeab02ae4165d698a0
Instruction Fuzzy Hash: 7C110D3278A307BAE7056B559CC3DAF779CEF25358B14003EF610E61E2EB745E406264

Function 00C4DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C4DE42
gethostname.WSOCK32(?,00000100), ref: 00C4DE5C
gethostbyname.WSOCK32(?), ref: 00C4DE69
inet_ntoa.WSOCK32(?), ref: 00C4DEAB
_strcat.LIBCMT ref: 00C4DEB9
WSACleanup.WSOCK32 ref: 00C4DEDE

Strings

0.0.0.0, xrefs: 00C4DE87

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1d96f05bd41f2cadfd5f3bdea09848025a88bb0f42ab09f76f3ff77ed619fff6
Instruction ID: 214816a2e7bf7d750712ffd92164b5f9e99361cc310f7b309680fc3afd1ee61c
Opcode Fuzzy Hash: 1d96f05bd41f2cadfd5f3bdea09848025a88bb0f42ab09f76f3ff77ed619fff6
Instruction Fuzzy Hash: DB11A271904116ABCB24BB60DC4AFEE77ACEB11711F0101ADF55AAA0D1EF718A81DA51

Function 00C79F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BF9BB2

GetSystemMetrics.USER32(0000000F), ref: 00C79FC7
GetSystemMetrics.USER32(0000000F), ref: 00C79FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C7A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C7A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C7A263
ShowWindow.USER32(00000003,00000000), ref: 00C7A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00C7A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00C7A2CA

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 9956531acaee281b9a8000922324b734af10a62bb8d311de3cad586c872d230b
Instruction ID: 17d9931f5793017622e02b1e72cedb0deb878f9b2689db1f12eb5c75114f9733
Opcode Fuzzy Hash: 9956531acaee281b9a8000922324b734af10a62bb8d311de3cad586c872d230b
Instruction Fuzzy Hash: F1B16831600215EFDF14CF69C9C57AE7BB2BF84711F09C069EC59AB296DB31AA80CB51

Function 00C4ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C4ED2A
_wcslen.LIBCMT ref: 00C4ED3B
_wcslen.LIBCMT ref: 00C4ED79
_wcslen.LIBCMT ref: 00C4EDAF
_wcslen.LIBCMT ref: 00C4EDDF
_wcslen.LIBCMT ref: 00C4EDEF
_wcslen.LIBCMT ref: 00C4EE2B
_wcslen.LIBCMT ref: 00C4EE5A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: f97a35a5a6dbbd0129870baf287089de46608951de4350d6356bdaf267625cdd
Instruction ID: 4b430d6963700cdf1513ff397ba8bec465baa64fa5b4399d1097f3d07b2d9600
Opcode Fuzzy Hash: f97a35a5a6dbbd0129870baf287089de46608951de4350d6356bdaf267625cdd
Instruction Fuzzy Hash: 0F41A365C1021875CB11EBF4CC8AACFB7ACBF45710F508462E918E3162FB34E655C3A5

Function 00BFF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C3682C,00000004,00000000,00000000), ref: 00BFF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C3682C,00000004,00000000,00000000), ref: 00C3F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C3682C,00000004,00000000,00000000), ref: 00C3F454

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 76ddc93d6c1a08e4eefab3c5c50978d99eec37a377a6349c3efa9c547ed741c7
Instruction ID: 8b0b0145f903cd60a34877e3e6c8ee1dbc5ac4e75e086d4c64826d58417ab652
Opcode Fuzzy Hash: 76ddc93d6c1a08e4eefab3c5c50978d99eec37a377a6349c3efa9c547ed741c7
Instruction Fuzzy Hash: 9C415031A1468ABAC7388B29C8C873E7BD1EF55310F54C4BCE28B53570C6B2D989CB11

Function 00C72D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C72D1B
GetDC.USER32(00000000), ref: 00C72D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C72D2E
ReleaseDC.USER32(00000000,00000000), ref: 00C72D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C72D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C72D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C75A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00C72DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C72DE1

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c6452ac96249d736ee50668278aa411681ca7aa309366478e37acf5b407b068d
Instruction ID: 411cae1501dc86ac2b58bb6c6034dde9ffb2684f907ee900262b487926a36216
Opcode Fuzzy Hash: c6452ac96249d736ee50668278aa411681ca7aa309366478e37acf5b407b068d
Instruction Fuzzy Hash: 07316B72201214BFEB218F508C8AFEB3FADEB19755F048059FE0C9A291D6759C90CBA4

Function 00C45622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C45637
_memcmp.LIBVCRUNTIME ref: 00C45659
_memcmp.LIBVCRUNTIME ref: 00C45671
_memcmp.LIBVCRUNTIME ref: 00C45684
_memcmp.LIBVCRUNTIME ref: 00C4569E
_memcmp.LIBVCRUNTIME ref: 00C456B1
_memcmp.LIBVCRUNTIME ref: 00C456C9
_memcmp.LIBVCRUNTIME ref: 00C456E4

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 31b4ebc03e54846f218fa281bd39fd59d9ba38ac5815744e6b563181a280496e
Instruction ID: 5149d325bd409a474ef2634cf73cb141f3bdd43c3ddb02a01f009551f5bb8518
Opcode Fuzzy Hash: 31b4ebc03e54846f218fa281bd39fd59d9ba38ac5815744e6b563181a280496e
Instruction Fuzzy Hash: D021C661740A09BBD21556218EC2FFA735CBF21794F594034FD099A7C3F720EE12D5A5

Function 00C64FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00C6502E, 00C65383
Not an Object type, xrefs: 00C65007

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: a62195fe9bf5bfdd673528603c5c27ea2716034f47b0f6fce7d299fa85f72ab3
Instruction ID: 7b07778b25b3cddc933a4e98c503df41d5bb831bd94f60570912eb757b838332
Opcode Fuzzy Hash: a62195fe9bf5bfdd673528603c5c27ea2716034f47b0f6fce7d299fa85f72ab3
Instruction Fuzzy Hash: F8D1B375A0060AAFDF20CFA8C8C1BAEB7B5FF48344F248469E915AB291D771DE45CB50

Function 00C21522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00C215CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C21651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C216E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C216FB

Part of subcall function 00C13820: RtlAllocateHeap.NTDLL(00000000,?,00CB1444,?,00BFFDF5,?,?,00BEA976,00000010,00CB1440,00BE13FC,?,00BE13C6,?,00BE1129), ref: 00C13852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C21777
__freea.LIBCMT ref: 00C217A2
__freea.LIBCMT ref: 00C217AE

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: aeed0fc0813fdf94a981ba10df859c68f96d0f6da43a276d2f20755e326d6b29
Instruction ID: 061f6b1b2f2793d99fd6430409453bd2f52f2a6908d22983c4bbae1b142e0a48
Opcode Fuzzy Hash: aeed0fc0813fdf94a981ba10df859c68f96d0f6da43a276d2f20755e326d6b29
Instruction Fuzzy Hash: F291C471E002269EDB208E65E881AEE7BF5EFA9710F1C4669EC15E7581DB35CE40C7A0

Function 00C64523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C64648
VariantInit.OLEAUT32(?), ref: 00C64749
VariantClear.OLEAUT32(?), ref: 00C64753
VariantClear.OLEAUT32(?), ref: 00C647B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00C6472C
Null Object assignment in FOR..IN loop, xrefs: 00C645D8, 00C64706, 00C647BE

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 8a04001928eae11f5a857026ec2c9ee34b12a726a283fb70c42be0695593b3e5
Instruction ID: 5ad051d6e261d4933d1ce96286c1f7f221273486afc9f488a168f2ab39030f68
Opcode Fuzzy Hash: 8a04001928eae11f5a857026ec2c9ee34b12a726a283fb70c42be0695593b3e5
Instruction Fuzzy Hash: 47915171A00219ABDF38CFA5CC84FAEBBB8EF46714F108559F515AB280D7709945CBA0

Function 00C51187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C5125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C51284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C512A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C512D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C5135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C513C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C51430

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: db0a35c617deb55c6dcad9bc9338fdab44e485a47108a64506369c3b39c843ed
Instruction ID: cef7b909ba1af69c05eb1ccc60f9232436e3cc395d271485418127484447fa14
Opcode Fuzzy Hash: db0a35c617deb55c6dcad9bc9338fdab44e485a47108a64506369c3b39c843ed
Instruction Fuzzy Hash: 1E910379A00219AFDB00DFA4C889BBE77F5FF44312F194029ED10E7291D774A989CB98

Function 00BF948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 162f4ee97404c46a10d299c4534f062964497278accde5cc8169f08f91b178f6
Instruction ID: a1010709aa86ae0f6e781c975edcdc1282e059e1cc907301f921b33b4e1f2c26
Opcode Fuzzy Hash: 162f4ee97404c46a10d299c4534f062964497278accde5cc8169f08f91b178f6
Instruction Fuzzy Hash: 33913871D00219EFCB14CFA9CC84AEEBBB8FF49320F148599E615B7251D375AA45CBA0

Function 00C63947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C6396B
CharUpperBuffW.USER32(?,?), ref: 00C63A7A
_wcslen.LIBCMT ref: 00C63A8A
VariantClear.OLEAUT32(?), ref: 00C63C1F

Part of subcall function 00C50CDF: VariantInit.OLEAUT32(00000000), ref: 00C50D1F
Part of subcall function 00C50CDF: VariantCopy.OLEAUT32(?,?), ref: 00C50D28
Part of subcall function 00C50CDF: VariantClear.OLEAUT32(?), ref: 00C50D34

Strings

Incorrect Parameter format, xrefs: 00C639A6, 00C63BA1
AUTOIT.ERROR, xrefs: 00C63A80, 00C63A85

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: e0c78f0a3d950d4ce06aaca249d8357008331879cc94fd2adda26baf60f35032
Instruction ID: 45a9718258631fa250be8d0c953b6979b83aa61994753061188c990ab5e331a2
Opcode Fuzzy Hash: e0c78f0a3d950d4ce06aaca249d8357008331879cc94fd2adda26baf60f35032
Instruction Fuzzy Hash: 269188746083859FC714EF64C48092AB7E4FF89314F14896DF89A9B352DB30EE49CB82

Function 00C64BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C4000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C3FF41,80070057,?,?,?,00C4035E), ref: 00C4002B
Part of subcall function 00C4000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C3FF41,80070057,?,?), ref: 00C40046
Part of subcall function 00C4000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C3FF41,80070057,?,?), ref: 00C40054
Part of subcall function 00C4000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C3FF41,80070057,?), ref: 00C40064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C64C51
_wcslen.LIBCMT ref: 00C64D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C64DCF
CoTaskMemFree.OLE32(?), ref: 00C64DDA

Strings

NULL Pointer assignment, xrefs: 00C64E23, 00C64E52

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 1dbb265abfd9ba44857dab4bc61a3b3221b64a15d770abf8e17ebc5ef2fb476e
Instruction ID: 83a2788f4fe2a36d9fee78da0fcf195ec470c6919b2d541545b8e7b227b82ba6
Opcode Fuzzy Hash: 1dbb265abfd9ba44857dab4bc61a3b3221b64a15d770abf8e17ebc5ef2fb476e
Instruction Fuzzy Hash: 7B910771D00219EFDF24DFA5C891AEEB7B9BF08310F108169E915A7291DB35AA45CF60

Function 00C720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C72183
GetMenuItemCount.USER32(00000000), ref: 00C721B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C721DD
_wcslen.LIBCMT ref: 00C72213
GetMenuItemID.USER32(?,?), ref: 00C7224D
GetSubMenu.USER32(?,?), ref: 00C7225B

Part of subcall function 00C43A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C43A57
Part of subcall function 00C43A3D: GetCurrentThreadId.KERNEL32 ref: 00C43A5E
Part of subcall function 00C43A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C425B3), ref: 00C43A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C722E3

Part of subcall function 00C4E97B: Sleep.KERNEL32 ref: 00C4E9F3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c77f8912dfbd320ab071767219dfec611c151e51531c8da5e4ac8776a87b8ee7
Instruction ID: c9cf4c6b2ca072105d68b403110e3cf7f29c8cc26df323f28043eb75a311ef1e
Opcode Fuzzy Hash: c77f8912dfbd320ab071767219dfec611c151e51531c8da5e4ac8776a87b8ee7
Instruction Fuzzy Hash: 69719275E00205AFCB10DF65C885AAEBBF5FF48320F148499E96AEB351D734EE419B90

Function 00C77E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01116900), ref: 00C77F37
IsWindowEnabled.USER32(01116900), ref: 00C77F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00C7801E
SendMessageW.USER32(01116900,000000B0,?,?), ref: 00C78051
IsDlgButtonChecked.USER32(?,?), ref: 00C78089
GetWindowLongW.USER32(01116900,000000EC), ref: 00C780AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C780C3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5ab8d9736d911598be80850318e8c54762ddbbabbdd67a03bcaf0a464c5cd704
Instruction ID: 84757d335f716396e65b3a6f132da26926aa6fb994fe6b7a1a42fd068be57133
Opcode Fuzzy Hash: 5ab8d9736d911598be80850318e8c54762ddbbabbdd67a03bcaf0a464c5cd704
Instruction Fuzzy Hash: B471B134608248AFEB21DFA4C9D4FAE7BB9EF09300F148559F96D57261CB31AA45DB20

Function 00C4AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C4AEF9
GetKeyboardState.USER32(?), ref: 00C4AF0E
SetKeyboardState.USER32(?), ref: 00C4AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C4AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C4AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C4AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C4B020

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 10017f0de358cab243fe0150d3165e61ae77f30238847d6330089044e7ff4e78
Instruction ID: c3f69c07aef409e756ff4da7b068b82cf383ec8b51c3245f92d97cffadfe8390
Opcode Fuzzy Hash: 10017f0de358cab243fe0150d3165e61ae77f30238847d6330089044e7ff4e78
Instruction Fuzzy Hash: 4151CFE0A447D53EFB3682748845BBBBEA96B06304F088489F1E9458C2C3D8EEC8D751

Function 00C4ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C4AD19
GetKeyboardState.USER32(?), ref: 00C4AD2E
SetKeyboardState.USER32(?), ref: 00C4AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C4ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C4ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C4AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C4AE38

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bd4cc9a34a996e30879fcbcaf0262af299054515e3c81a38c8226a68173f2e64
Instruction ID: 7ff578e11320e948e3b971c0776f632f43454991f7875ffe013b6f4ed0facb4b
Opcode Fuzzy Hash: bd4cc9a34a996e30879fcbcaf0262af299054515e3c81a38c8226a68173f2e64
Instruction Fuzzy Hash: 5151E7A19887D53DFB3783358C95B7A7EA87F46300F088488E1F5468C3D294EE94E752

Function 00C1542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C23CD6,?,?,?,?,?,?,?,?,00C15BA3,?,?,00C23CD6,?,?), ref: 00C15470
__fassign.LIBCMT ref: 00C154EB
__fassign.LIBCMT ref: 00C15506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C23CD6,00000005,00000000,00000000), ref: 00C1552C
WriteFile.KERNEL32(?,00C23CD6,00000000,00C15BA3,00000000,?,?,?,?,?,?,?,?,?,00C15BA3,?), ref: 00C1554B
WriteFile.KERNEL32(?,?,00000001,00C15BA3,00000000,?,?,?,?,?,?,?,?,?,00C15BA3,?), ref: 00C15584

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e0d381abc6d4173b82b0ce1ca0f79ef8320ad40c77d8990d2aedb0ce05084616
Instruction ID: f54decf40252b52f5c464b9ccc973bfa407a7b0da7e0e3ae4140fb7ff5a9d522
Opcode Fuzzy Hash: e0d381abc6d4173b82b0ce1ca0f79ef8320ad40c77d8990d2aedb0ce05084616
Instruction Fuzzy Hash: DB51A471A00649DFDB10CFA8D885BEEBBFAEF4A300F14415AF555E7291D7309A81DB60

Function 00C02D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C02D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C02D53
_ValidateLocalCookies.LIBCMT ref: 00C02DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C02E0C
_ValidateLocalCookies.LIBCMT ref: 00C02E61

Strings

csm, xrefs: 00C02DF6

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 24f7655872b9f49bb3b5947c9181dfdd1d2b860c3693eba11d8da7360bbe0b6e
Instruction ID: bc7d9cff9c28e0bf9e0dac848f68b31e3e4cd1948a55dac8bc877b83254ed131
Opcode Fuzzy Hash: 24f7655872b9f49bb3b5947c9181dfdd1d2b860c3693eba11d8da7360bbe0b6e
Instruction Fuzzy Hash: A641A334A00319ABCF10DF68C889A9EBBB5BF45325F1481A5E8256B3D2D731AE05CBD0

Function 00C610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C6304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C6307A
Part of subcall function 00C6304E: _wcslen.LIBCMT ref: 00C6309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C61112
WSAGetLastError.WSOCK32 ref: 00C61121
WSAGetLastError.WSOCK32 ref: 00C611C9
closesocket.WSOCK32(00000000), ref: 00C611F9

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 3576ba0ee4e678d310faff29dc3c6235daf57f6b9748e8d731c85f5c9c4ba97b
Instruction ID: 93a6df3419fba1d67a85c31875ddc9727f5e617f2a8aef8be4803eebd3205d8d
Opcode Fuzzy Hash: 3576ba0ee4e678d310faff29dc3c6235daf57f6b9748e8d731c85f5c9c4ba97b
Instruction Fuzzy Hash: 5D41D731600205AFDB209F15C8C5BADBBE9EF45315F1C8059FD199B292C774AE85CBE1

Function 00C4CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C4CF22,?), ref: 00C4DDFD

Part of subcall function 00C4DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C4CF22,?), ref: 00C4DE16

lstrcmpiW.KERNEL32(?,?), ref: 00C4CF45
MoveFileW.KERNEL32(?,?), ref: 00C4CF7F
_wcslen.LIBCMT ref: 00C4D005
_wcslen.LIBCMT ref: 00C4D01B
SHFileOperationW.SHELL32(?), ref: 00C4D061

Strings

\*.*, xrefs: 00C4CFF3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c775cb2d6b0156d788535258edec9a99206a5e5ba16c9dcc3b243069482f6e18
Instruction ID: 66b7134950abe148c5b9472ed92b4cec34f51645feb2125782367e9ed58a8aee
Opcode Fuzzy Hash: c775cb2d6b0156d788535258edec9a99206a5e5ba16c9dcc3b243069482f6e18
Instruction Fuzzy Hash: 7C4155719462199FDF12EBA4D9C1ADEB7B8BF08380F1000E6E505EB152EB35A788DB50

Function 00C72DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00C72E1C
GetWindowLongW.USER32(?,000000F0), ref: 00C72E4F
GetWindowLongW.USER32(?,000000F0), ref: 00C72E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00C72EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00C72EE0
GetWindowLongW.USER32(?,000000F0), ref: 00C72EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C72F0B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 573113001354d3866781c22744954eca2cd343841b4a07f80e8ce28908ca1990
Instruction ID: 25bde10be606183f9581c407ced8561dbf80a6fe6757d472d1236315ad5b3741
Opcode Fuzzy Hash: 573113001354d3866781c22744954eca2cd343841b4a07f80e8ce28908ca1990
Instruction Fuzzy Hash: 123115306041519FDB20CF58DCD4F6937E0FB4A721F194168F9588B2B1CB71AD80DB41

Function 00C47726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C47769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4778F
SysAllocString.OLEAUT32(00000000), ref: 00C47792
SysAllocString.OLEAUT32(?), ref: 00C477B0
SysFreeString.OLEAUT32(?), ref: 00C477B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00C477DE
SysAllocString.OLEAUT32(?), ref: 00C477EC

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c98fc7a6e67bd21f062f5dc910baa96fdc6646d402e927deca332e4ebcc9ace3
Instruction ID: 1b2aa8c69ee404f6d825bae57c360d1119e760ca8c0e60d4c0140128b87af6df
Opcode Fuzzy Hash: c98fc7a6e67bd21f062f5dc910baa96fdc6646d402e927deca332e4ebcc9ace3
Instruction Fuzzy Hash: 6E219F7660421AAFDB11DFA8CC88EBA77ACFB093647408129FA15DB150D7709D8587A0

Function 00C477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C47842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C47868
SysAllocString.OLEAUT32(00000000), ref: 00C4786B
SysAllocString.OLEAUT32 ref: 00C4788C
SysFreeString.OLEAUT32 ref: 00C47895
StringFromGUID2.OLE32(?,?,00000028), ref: 00C478AF
SysAllocString.OLEAUT32(?), ref: 00C478BD

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6493b681f7e677f6ed2dc68830168daba959ec4324338cea7d94f7a3f4d6f696
Instruction ID: abc89fb39786f94af4cdcb2640a78e936ef29df25c34d5d81770222c1f3c9ba2
Opcode Fuzzy Hash: 6493b681f7e677f6ed2dc68830168daba959ec4324338cea7d94f7a3f4d6f696
Instruction Fuzzy Hash: 19216031608205AFDB109FA9DC88EBA77ECFB097607108225F925EB2A1D774DD81CB64

Function 00C504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C504F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C5052E

Strings

nul, xrefs: 00C50567

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4144cc9b12531bfbf749447ec9ca6bfca1e42df0eb464cec21669f7bea7aba1c
Instruction ID: 4568b6b0be16f2b182d5ee84036c9b8ceea5ab61d9b1f4ee5878b289ee066993
Opcode Fuzzy Hash: 4144cc9b12531bfbf749447ec9ca6bfca1e42df0eb464cec21669f7bea7aba1c
Instruction Fuzzy Hash: 272182795003069BDB208F29DC45B9A77A4AF44726F704A19FCB1E61E1E7709A88CF28

Function 00C505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C505C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C50601

Strings

nul, xrefs: 00C50639

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d72de521ee7b185e356167bc389d44c13dc6bd71f1b09989e0c6c9684fe664a9
Instruction ID: 605bc4d5b7b360e3b41b5d547515f76674cd401a49f002dc3ea3ab187a07f16f
Opcode Fuzzy Hash: d72de521ee7b185e356167bc389d44c13dc6bd71f1b09989e0c6c9684fe664a9
Instruction Fuzzy Hash: 29217479500306DBDB209F69CC45B9A77A4AF95722F340A19FCB1E72E0DB709AD4CB18

Function 00C740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BE604C
Part of subcall function 00BE600E: GetStockObject.GDI32(00000011), ref: 00BE6060
Part of subcall function 00BE600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BE606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C74112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C7411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C7412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C74139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C74145

Strings

Msctls_Progress32, xrefs: 00C740E3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c2ecd8b109e9ea077c9bd4b197174bf92a8fa3a196c2cd9ad9cdc3b7beaf7ff8
Instruction ID: 79d6168bd2a8720420d860e381cdb04670292b4a03a7c03b9ad1cd7b433d23be
Opcode Fuzzy Hash: c2ecd8b109e9ea077c9bd4b197174bf92a8fa3a196c2cd9ad9cdc3b7beaf7ff8
Instruction Fuzzy Hash: 841193B11401197EEF119E64CC85EEB7F9DEF09798F018110FA18A2050C7729C61DBA4

Function 00C1D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C1D7A3: _free.LIBCMT ref: 00C1D7CC

_free.LIBCMT ref: 00C1D82D

Part of subcall function 00C129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000), ref: 00C129DE
Part of subcall function 00C129C8: GetLastError.KERNEL32(00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000,00000000), ref: 00C129F0

_free.LIBCMT ref: 00C1D838
_free.LIBCMT ref: 00C1D843
_free.LIBCMT ref: 00C1D897
_free.LIBCMT ref: 00C1D8A2
_free.LIBCMT ref: 00C1D8AD
_free.LIBCMT ref: 00C1D8B8

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 178da6200d382d21eeed54ce38044698900e30f7fe9f54f10ee2c294a86c770c
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 7E115171540B04AAD521BFB0CC47FCB7BDC6F02710F440825B29AEA1D2DAA5B5A57690

Function 00C4DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C4DA74
LoadStringW.USER32(00000000), ref: 00C4DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C4DA91
LoadStringW.USER32(00000000), ref: 00C4DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C4DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C4DAB9

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 1cde9b6886185bf4cd04b22d706dbd15df59a0507704c6cfa79c011e679aedba
Instruction ID: af9885df731805f4ba2e43436b1db8169117b553901dcd24c18683112bb3a360
Opcode Fuzzy Hash: 1cde9b6886185bf4cd04b22d706dbd15df59a0507704c6cfa79c011e679aedba
Instruction Fuzzy Hash: E10162F25002097FE711ABA09DC9FEB366CE708705F4044A9B71AE2041EA749EC44F74

Function 00C5096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0110B0A8,0110B0A8), ref: 00C5097B
EnterCriticalSection.KERNEL32(0110B088,00000000), ref: 00C5098D
TerminateThread.KERNEL32(?,000001F6), ref: 00C5099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00C509A9
CloseHandle.KERNEL32(?), ref: 00C509B8
InterlockedExchange.KERNEL32(0110B0A8,000001F6), ref: 00C509C8
LeaveCriticalSection.KERNEL32(0110B088), ref: 00C509CF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 47f6d0f275388115711cd2b2bfe75b2d68fbbf0db67dab7a0ff1625f6e124a47
Instruction ID: 84a19d1258a9a68916deae3b0ca7a18b9379686b73cb6d6e4e72f7dd6169c455
Opcode Fuzzy Hash: 47f6d0f275388115711cd2b2bfe75b2d68fbbf0db67dab7a0ff1625f6e124a47
Instruction Fuzzy Hash: A9F01D32442503ABD7415BA4EEC8BDABB25BF01702F501029F205A08A6C77495B5CF94

Function 00BE5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BE5D30
GetWindowRect.USER32(?,?), ref: 00BE5D71
ScreenToClient.USER32(?,?), ref: 00BE5D99
GetClientRect.USER32(?,?), ref: 00BE5ED7
GetWindowRect.USER32(?,?), ref: 00BE5EF8

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 4356ca17a0fcf1f0e6032a6434d211e026732580228c0bf360fbd672def3f5c1
Instruction ID: b2835d64f87b0ec5c523818c8935007cbca27dff1aa79e34462f25212f688262
Opcode Fuzzy Hash: 4356ca17a0fcf1f0e6032a6434d211e026732580228c0bf360fbd672def3f5c1
Instruction Fuzzy Hash: 5CB18B38A1078ADBDB24DFA9C4807EEB7F1FF48314F14841AE8A9D7650DB34AA51DB50

Function 00C101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C100BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C100D6
__allrem.LIBCMT ref: 00C100ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C1010B
__allrem.LIBCMT ref: 00C10122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C10140

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 134dc4c25ccfdb2cd12188a09c656f3b194d81d5680a4d2a607a74df2c6923da
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: A9810772600706ABE7249F69CC41BAB73E8AF46324F34413EF561D66C1E7B4DAC1AB50

Function 00C61D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C63149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00C6101C,00000000,?,?,00000000), ref: 00C63195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C61DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C61DE1
WSAGetLastError.WSOCK32 ref: 00C61DF2
inet_ntoa.WSOCK32(?), ref: 00C61E8C
htons.WSOCK32(?,?,?,?,?), ref: 00C61EDB
_strlen.LIBCMT ref: 00C61F35

Part of subcall function 00C439E8: _strlen.LIBCMT ref: 00C439F2

Part of subcall function 00BE6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00BFCF58,?,?,?), ref: 00BE6DBA
Part of subcall function 00BE6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00BFCF58,?,?,?), ref: 00BE6DED

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 0c541ebcc84e7a6cfdbe8775ed68e62b7064e681c5603a6b5e366c0f6568885f
Instruction ID: b6acc67333c4c6360c5f3930a5d4d309ecedcef56788fc97e1a6174fa5ce9699
Opcode Fuzzy Hash: 0c541ebcc84e7a6cfdbe8775ed68e62b7064e681c5603a6b5e366c0f6568885f
Instruction Fuzzy Hash: 3DA1E230504340AFC324DF65C895F2A77E5AF94318F58898CF9565B2E2CB31EE46CB92

Function 00C161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C082D9,00C082D9,?,?,?,00C1644F,00000001,00000001,8BE85006), ref: 00C16258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C1644F,00000001,00000001,8BE85006,?,?,?), ref: 00C162DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C163D8
__freea.LIBCMT ref: 00C163E5

Part of subcall function 00C13820: RtlAllocateHeap.NTDLL(00000000,?,00CB1444,?,00BFFDF5,?,?,00BEA976,00000010,00CB1440,00BE13FC,?,00BE13C6,?,00BE1129), ref: 00C13852

__freea.LIBCMT ref: 00C163EE
__freea.LIBCMT ref: 00C16413

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 69244297c2352e590324abc5ab45f2b09a877e8fef73af97f1333e0692d0a701
Instruction ID: 3823f460bed1386a8d208170e29d113e4aa0c45c491e60c26dd32ba426393208
Opcode Fuzzy Hash: 69244297c2352e590324abc5ab45f2b09a877e8fef73af97f1333e0692d0a701
Instruction Fuzzy Hash: 7F51E172600216ABEB258F64CC81EEF7BAAEB46710F554229FD25D6150EB34DDC0F660

Function 00C6BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C6C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C6B6AE,?,?), ref: 00C6C9B5
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6C9F1
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6CA68
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C6BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C6BD25
RegCloseKey.ADVAPI32(00000000), ref: 00C6BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C6BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C6BDF3
RegCloseKey.ADVAPI32(?), ref: 00C6BDFF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 9c6d2eb1febc0d320859196ffad08447c0ad057295757b2118ead4ef119ebcaf
Instruction ID: 0c9df1e62134bdc29fd8e348d526f8b0b562210d845a0034ba41088bee27dc99
Opcode Fuzzy Hash: 9c6d2eb1febc0d320859196ffad08447c0ad057295757b2118ead4ef119ebcaf
Instruction Fuzzy Hash: F1818170108241AFD724DF24C8D5E2ABBE5FF84348F14859CF5598B2A2DB31EE85CB92

Function 00C3F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C3F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C3F860
VariantCopy.OLEAUT32(00C3FA64,00000000), ref: 00C3F889
VariantClear.OLEAUT32(00C3FA64), ref: 00C3F8AD
VariantCopy.OLEAUT32(00C3FA64,00000000), ref: 00C3F8B1
VariantClear.OLEAUT32(?), ref: 00C3F8BB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 416ed960e8ce29084b2a048e5566427e048c998c4acedc5b388706b94146ee72
Instruction ID: dde235dc793082029040005d8fc1c5dd10cc95a3ebe010b772b3428290aec952
Opcode Fuzzy Hash: 416ed960e8ce29084b2a048e5566427e048c998c4acedc5b388706b94146ee72
Instruction Fuzzy Hash: F6510635E20311BACF24AB66D895B3DB3E4EF45310F24986EE906DF291DB708C41CB96

Function 00C5910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00BE7620: _wcslen.LIBCMT ref: 00BE7625

Part of subcall function 00BE6B57: _wcslen.LIBCMT ref: 00BE6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00C594E5
_wcslen.LIBCMT ref: 00C59506
_wcslen.LIBCMT ref: 00C5952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00C59585

Strings

X, xrefs: 00C59412

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 8bd49c58e1e26e5d95baf25d4643da8f789678dc5fb0a277c07a09e1cdb23553
Instruction ID: 237977c561339183a066dbed782832a92fcaae1b232aad738b339242d4ccfcc3
Opcode Fuzzy Hash: 8bd49c58e1e26e5d95baf25d4643da8f789678dc5fb0a277c07a09e1cdb23553
Instruction Fuzzy Hash: 8AE1C275508340CFC724DF25C881A6AB7E4FF85314F1489ADF8999B2A2EB30DD49CB96

Function 00BF920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BF9BB2

BeginPaint.USER32(?,?,?), ref: 00BF9241
GetWindowRect.USER32(?,?), ref: 00BF92A5
ScreenToClient.USER32(?,?), ref: 00BF92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BF92D3
EndPaint.USER32(?,?,?,?,?), ref: 00BF9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C371EA

Part of subcall function 00BF9339: BeginPath.GDI32(00000000), ref: 00BF9357

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 964c795f4fe907f77709bd84090652abbcbb9279ff3fe116ecb5cac2a057d9d6
Instruction ID: bc688c1f6fc11ab3b1e177eb5e3d2ea0dfa5368353d3ef90a5035ec024e7198f
Opcode Fuzzy Hash: 964c795f4fe907f77709bd84090652abbcbb9279ff3fe116ecb5cac2a057d9d6
Instruction Fuzzy Hash: 5241AC71504205AFD721DF24DCD4FBE7BE8EB55720F1402A9FAA8872A2C7319889DB61

Function 00C507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C5080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C50847
EnterCriticalSection.KERNEL32(?), ref: 00C50863
LeaveCriticalSection.KERNEL32(?), ref: 00C508DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C508F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C50921

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: e8130e52602f75dffc632264909887c4f911df1bd164a4b14755d0d164e00877
Instruction ID: 8ce03ddb1d371a7182de7fc834ae5846ea540b4b7b7239153cfdeecb416e969c
Opcode Fuzzy Hash: e8130e52602f75dffc632264909887c4f911df1bd164a4b14755d0d164e00877
Instruction Fuzzy Hash: 51414975900206ABDF149F54DC85B6A77B8FF04310F1440A9EE04EB297D730DEA9DBA4

Function 00C781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C3F3AB,00000000,?,?,00000000,?,00C3682C,00000004,00000000,00000000), ref: 00C7824C
EnableWindow.USER32(?,00000000), ref: 00C78272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C782D1
ShowWindow.USER32(?,00000004), ref: 00C782E5
EnableWindow.USER32(?,00000001), ref: 00C7830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C7832F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e95b1b2eab4977da88f027021f9121d069665f4423a0ba81adeb0f9b1a6c34df
Instruction ID: 85ee148449c30f36dccefa77e859c3852345b6218ee109dd616bd06b02ba4dea
Opcode Fuzzy Hash: e95b1b2eab4977da88f027021f9121d069665f4423a0ba81adeb0f9b1a6c34df
Instruction Fuzzy Hash: D2418334A41644AFDF15CF25D8DDBA87BE0BB0A715F188269EB1C4B273CB31A949CB50

Function 00C44C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C44C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C44CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C44CEA
_wcslen.LIBCMT ref: 00C44D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C44D10
_wcsstr.LIBVCRUNTIME ref: 00C44D1A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2d05725f1e0ca66be7ea3307306745900f7e9e1cc2585e696c1581dee72932d1
Instruction ID: d511f735c6e1572d5ba1b5a95023171fc2746d9d3737c464dfef2c45eb3ac0eb
Opcode Fuzzy Hash: 2d05725f1e0ca66be7ea3307306745900f7e9e1cc2585e696c1581dee72932d1
Instruction Fuzzy Hash: D4212931604205BBEB195B39EC89F7F7BECEF45750F20407DF909CA191DA61CD4092A0

Function 00C5581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BE3A97,?,?,00BE2E7F,?,?,?,00000000), ref: 00BE3AC2

_wcslen.LIBCMT ref: 00C5587B
CoInitialize.OLE32(00000000), ref: 00C55995
CoCreateInstance.OLE32(00C7FCF8,00000000,00000001,00C7FB68,?), ref: 00C559AE
CoUninitialize.OLE32 ref: 00C559CC

Strings

.lnk, xrefs: 00C55876, 00C558C1, 00C55985

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3b4789d357dc918a6862672cd706a4b478bd0135b63b66a3e0e4b778e3478ddc
Instruction ID: a06fea0f250218b065aec4fa70ee75ef8059598cf096b01a4b8bd7426ddd338c
Opcode Fuzzy Hash: 3b4789d357dc918a6862672cd706a4b478bd0135b63b66a3e0e4b778e3478ddc
Instruction Fuzzy Hash: 03D187786047019FC714DF15C4A4A2ABBE1FF89711F14889DF8999B361CB31ED8ACB92

Function 00C4175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C40FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C40FCA
Part of subcall function 00C40FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C40FD6
Part of subcall function 00C40FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C40FE5
Part of subcall function 00C40FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C40FEC
Part of subcall function 00C40FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C41002

GetLengthSid.ADVAPI32(?,00000000,00C41335), ref: 00C417AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C417BA
HeapAlloc.KERNEL32(00000000), ref: 00C417C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C417DA
GetProcessHeap.KERNEL32(00000000,00000000,00C41335), ref: 00C417EE
HeapFree.KERNEL32(00000000), ref: 00C417F5

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 52d9f6bc093901b218852cf228b2bd84cd2f941d1b9afc37e44eabc01f60c330
Instruction ID: a793b3dab49cdfa896a3ea4ae09eba1dc7af893bb02f05dbc6fdd9dbdd452b59
Opcode Fuzzy Hash: 52d9f6bc093901b218852cf228b2bd84cd2f941d1b9afc37e44eabc01f60c330
Instruction Fuzzy Hash: 10118E31510206FFDB109FA4CC89BAE7BB9FB45355F184028F89597210D735AA84CB60

Function 00C414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C414FF
OpenProcessToken.ADVAPI32(00000000), ref: 00C41506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C41515
CloseHandle.KERNEL32(00000004), ref: 00C41520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C4154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C41563

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 48b958f2754f6b72738a3306f9533b4f770331689edc36bcf4961c2bcb44e24c
Instruction ID: a858580284acec49ec7ca0ffb95990b9943cf5c37ea2a023d90a7a000ea096fb
Opcode Fuzzy Hash: 48b958f2754f6b72738a3306f9533b4f770331689edc36bcf4961c2bcb44e24c
Instruction Fuzzy Hash: 4D11297250120AABDF118F98DD89BDE7BA9FF48754F088019FE59A2060C3758EA0DB60

Function 00C03382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C03379,00C02FE5), ref: 00C03390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C0339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C033B7
SetLastError.KERNEL32(00000000,?,00C03379,00C02FE5), ref: 00C03409

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 63dde3824b417a87c0920326f80954c328708bfe84ee85788dd5b948e8d1d673
Instruction ID: 6df72f847f175e9e7701a1fb300440fb97f0e84881afcb7246acab65001fd5c7
Opcode Fuzzy Hash: 63dde3824b417a87c0920326f80954c328708bfe84ee85788dd5b948e8d1d673
Instruction Fuzzy Hash: F201D432609351BEE72527B57CC576F2A9CEB063797200229F620861F0FF224F52E644

Function 00C12D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C15686,00C23CD6,?,00000000,?,00C15B6A,?,?,?,?,?,00C0E6D1,?,00CA8A48), ref: 00C12D78
_free.LIBCMT ref: 00C12DAB
_free.LIBCMT ref: 00C12DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C0E6D1,?,00CA8A48,00000010,00BE4F4A,?,?,00000000,00C23CD6), ref: 00C12DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C0E6D1,?,00CA8A48,00000010,00BE4F4A,?,?,00000000,00C23CD6), ref: 00C12DEC
_abort.LIBCMT ref: 00C12DF2

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b90f1a681da807393999e08facf25b0665b62d084641f8f21b7acc5632035dea
Instruction ID: ad2f9217319911cd5f87d670e62b3eaf9efb8ea45ed966f47b9404161e62e441
Opcode Fuzzy Hash: b90f1a681da807393999e08facf25b0665b62d084641f8f21b7acc5632035dea
Instruction Fuzzy Hash: 7AF0A43A6446012BC6223739FC46BDE2559ABC37B5F24041CF838921E2EE2489F2B260

Function 00C78A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BF9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BF9693
Part of subcall function 00BF9639: SelectObject.GDI32(?,00000000), ref: 00BF96A2
Part of subcall function 00BF9639: BeginPath.GDI32(?), ref: 00BF96B9
Part of subcall function 00BF9639: SelectObject.GDI32(?,00000000), ref: 00BF96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C78A4E
LineTo.GDI32(?,00000003,00000000), ref: 00C78A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C78A70
LineTo.GDI32(?,00000000,00000003), ref: 00C78A80
EndPath.GDI32(?), ref: 00C78A90
StrokePath.GDI32(?), ref: 00C78AA0

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4cf77c9ca0bec4b93444a851baf9869c0c73f34d933489574462db6686b9b1e7
Instruction ID: d60bd87bd57efdd43e47f06e56760178bea56ab2974943c32e5120cd2586a6e0
Opcode Fuzzy Hash: 4cf77c9ca0bec4b93444a851baf9869c0c73f34d933489574462db6686b9b1e7
Instruction Fuzzy Hash: CB11097604014DFFDB129F90DC88FAE7F6DEB08350F048026BA199A1A1C7719E95DBA0

Function 00C451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C45218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C45229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C45230
ReleaseDC.USER32(00000000,00000000), ref: 00C45238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C4524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C45261

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 46f0057f6b4991e9d52f40ab7e5e919d78f4651e22d50f771be2068236f3070b
Instruction ID: cd07aff674400d9ffcc0755463d0269012cc0fb4d7466d6b99b9ca62e8d23604
Opcode Fuzzy Hash: 46f0057f6b4991e9d52f40ab7e5e919d78f4651e22d50f771be2068236f3070b
Instruction Fuzzy Hash: 71014475E00715BBEB105BA59C89B5EBFB8FF48751F044069FA08A7281D6709900CBA0

Function 00BE1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BE1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00BE1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BE1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BE1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00BE1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BE1C22

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: cc1f3da19b8a4e90eb150cf98719645ea90ba817793d2aee7eac7e4e64581743
Instruction ID: 31d6f62146134f670f90085d9b6f96de414e467a4df1269724f252b090a251dc
Opcode Fuzzy Hash: cc1f3da19b8a4e90eb150cf98719645ea90ba817793d2aee7eac7e4e64581743
Instruction Fuzzy Hash: 84016CB090275A7DE3008F5A8C85B56FFA8FF19754F00411FA15C47941C7F5A864CBE5

Function 00C4EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C4EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C4EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00C4EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C4EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C4EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C4EB75

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8f7387dd84e493461c464218381a73223b035c56141d2c27150450cb0506f068
Instruction ID: bd64c22c8d1ff6038b42f37f934ed59ecdce72ecc3089faee723ee72d0873d33
Opcode Fuzzy Hash: 8f7387dd84e493461c464218381a73223b035c56141d2c27150450cb0506f068
Instruction Fuzzy Hash: 0FF05E7264015ABBE7215B629C8EFEF3E7CEFCAB11F00016CF615E1091D7A05A41CAB5

Function 00C37439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C37452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C37469
GetWindowDC.USER32(?), ref: 00C37475
GetPixel.GDI32(00000000,?,?), ref: 00C37484
ReleaseDC.USER32(?,00000000), ref: 00C37496
GetSysColor.USER32(00000005), ref: 00C374B0

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 0705357d9d532680e0deda82dc36584fee5566c971749824e8f86b5077aab80d
Instruction ID: 8de573388fab1d64ffdb6668730ac1b3b5f2780c8609e0ec95b3f6e19a510103
Opcode Fuzzy Hash: 0705357d9d532680e0deda82dc36584fee5566c971749824e8f86b5077aab80d
Instruction Fuzzy Hash: 4B016D31404216EFDB615F64DC88BAE7BB5FF04351F550168F92AA31A1CB312E91EF50

Function 00C41874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C4187F
UnloadUserProfile.USERENV(?,?), ref: 00C4188B
CloseHandle.KERNEL32(?), ref: 00C41894
CloseHandle.KERNEL32(?), ref: 00C4189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C418A5
HeapFree.KERNEL32(00000000), ref: 00C418AC

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f1c2f96c6d790d79cf20759fb1377575037d1048d6663198e5836c01ec66a7c0
Instruction ID: dbe30d86efe62c43e54434e61300cb5a0d71d901013228e074d2eb522bf5332e
Opcode Fuzzy Hash: f1c2f96c6d790d79cf20759fb1377575037d1048d6663198e5836c01ec66a7c0
Instruction Fuzzy Hash: 5AE0E536004102BBEB015FA1ED4CB4EBF39FF49B22B508228F22991470CB3294B0DF50

Function 00C4C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE7620: _wcslen.LIBCMT ref: 00BE7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C4C6EE
_wcslen.LIBCMT ref: 00C4C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C4C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C4C7CA

Strings

0, xrefs: 00C4C6AF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 7652973d89f93945dd963bb2c2ec1e7d513c8515158fe34857c87e888d967f0d
Instruction ID: d36fbc3daaa7651d7cbecffdde5123ce04b8cd78245a95694254cd8e6ba82528
Opcode Fuzzy Hash: 7652973d89f93945dd963bb2c2ec1e7d513c8515158fe34857c87e888d967f0d
Instruction Fuzzy Hash: 0551DB716063419BD7949F29C8C5BABB7E8BF89314F080A2DF9A5D31F0DB60DA04DB52

Function 00C6AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00C6AEA3

Part of subcall function 00BE7620: _wcslen.LIBCMT ref: 00BE7625

GetProcessId.KERNEL32(00000000), ref: 00C6AF38
CloseHandle.KERNEL32(00000000), ref: 00C6AF67

Strings

@, xrefs: 00C6AE72
<, xrefs: 00C6AE6B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 7f253d7cd85c0b24a0947c47b66f3516403ab76670eebe184dbdf15e0ee968a0
Instruction ID: 1980bf2ec31eef6c3408cdee7690df30e91e7800ac1251ca4c83c61d9169b51f
Opcode Fuzzy Hash: 7f253d7cd85c0b24a0947c47b66f3516403ab76670eebe184dbdf15e0ee968a0
Instruction Fuzzy Hash: 69714970A00655DFCB24DF55D494A9EBBF0EF08314F048499E826AB3A2CB75EE45CF91

Function 00C4719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C47206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C4723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C4724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C472CF

Strings

DllGetClassObject, xrefs: 00C47242

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d63fe6d96e66fe0e2c3fa4f37ac7de16c196c7e941674bf3c1729322bd4b9639
Instruction ID: 10254be7ac9944424b9e0ff363f4ff51ab8252e3b72d49c40bfa76ef11e2bfa1
Opcode Fuzzy Hash: d63fe6d96e66fe0e2c3fa4f37ac7de16c196c7e941674bf3c1729322bd4b9639
Instruction Fuzzy Hash: E4416DB1A04205EFDB25CF64C884B9A7BA9FF44310F1481ADBD099F20AD7B0DA44CBA0

Function 00C73D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C73E35
IsMenu.USER32(?), ref: 00C73E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C73E92
DrawMenuBar.USER32 ref: 00C73EA5

Strings

0, xrefs: 00C73D89

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: a0cc1f14c6d989580b512390083cd78b693879f5b339c81b089013bf27a2b69c
Instruction ID: cc9cd0810cf41517420d240f3526a72f0fc9f72c30e29490c1bb59e78e7bcf63
Opcode Fuzzy Hash: a0cc1f14c6d989580b512390083cd78b693879f5b339c81b089013bf27a2b69c
Instruction Fuzzy Hash: 74415975A01249EFDB10DF60D884EAEBBB9FF49354F04812AF919A7250D730AE44EF60

Function 00C41DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C43CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C41E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C41E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C41EA9

Part of subcall function 00BE6B57: _wcslen.LIBCMT ref: 00BE6B6A

Strings

ComboBox, xrefs: 00C41DF0
ListBox, xrefs: 00C41E25

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 52bebefc75610412c00fdedd401947d42b1a5f948ea9c4306f6bc4a6960dbfef
Instruction ID: f7ad35ee54f3a2ec3e06009094a05a6d04d5a3f2a03a3175d1f86b5dbb81efa5
Opcode Fuzzy Hash: 52bebefc75610412c00fdedd401947d42b1a5f948ea9c4306f6bc4a6960dbfef
Instruction Fuzzy Hash: 6F214775A00105BFDB14ABA5DC8ADFFBBB8EF41390B14412DFC65A31E1DB344E8A8620

Function 00C6C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C6C9F1
_wcslen.LIBCMT ref: 00C6CA68
_wcslen.LIBCMT ref: 00C6CA9E
_wcslen.LIBCMT ref: 00C6CAF9
_wcslen.LIBCMT ref: 00C6CB2F
_wcslen.LIBCMT ref: 00C6CB7F

Strings

HKLM, xrefs: 00C6CA98, 00C6CA9D
HKEY_LOCAL_MACHINE, xrefs: 00C6CA62, 00C6CA67

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 50dc6ec5a3e42143342688d3e796aa80fddd0e3432ff66b0b879821b8076136e
Instruction ID: bd3a6bb7627c9bda033b25f77011084abf57edc9344c17657d4e9e97950b3c7a
Opcode Fuzzy Hash: 50dc6ec5a3e42143342688d3e796aa80fddd0e3432ff66b0b879821b8076136e
Instruction Fuzzy Hash: 5A31097360016A4BCB30DFACC8C01BF33915BA1754B494129ECA1AB346E670CF40F3A0

Function 00C72F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C72F8D
LoadLibraryW.KERNEL32(?), ref: 00C72F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C72FA9
DestroyWindow.USER32(?), ref: 00C72FB1

Strings

SysAnimate32, xrefs: 00C72F68

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: c5d0135eb400fdb4a7928d37f00d171e650d7df440dfddb94f3969fd68fa5eb5
Instruction ID: f82a7d28a985055655040b2af8d40f8b4b67077f0746a443a46ea3506a0eab25
Opcode Fuzzy Hash: c5d0135eb400fdb4a7928d37f00d171e650d7df440dfddb94f3969fd68fa5eb5
Instruction Fuzzy Hash: 3221CD72200225AFEF104FA4DC80FBB37BDEB59364F108628F968D2190D771DD919760

Function 00C04D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C04D1E,00C128E9,?,00C04CBE,00C128E9,00CA88B8,0000000C,00C04E15,00C128E9,00000002), ref: 00C04D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C04DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C04D1E,00C128E9,?,00C04CBE,00C128E9,00CA88B8,0000000C,00C04E15,00C128E9,00000002,00000000), ref: 00C04DC3

Strings

CorExitProcess, xrefs: 00C04D98
mscoree.dll, xrefs: 00C04D86

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0b23bac27331b9655416551d70d62f2bd5cf3aa0f6f16c63f70fbebb5ec67656
Instruction ID: 948dbfdfcb5feac9a94f61a8dd048a31de5137e050ba63fdd1cd3821a49f95eb
Opcode Fuzzy Hash: 0b23bac27331b9655416551d70d62f2bd5cf3aa0f6f16c63f70fbebb5ec67656
Instruction Fuzzy Hash: D1F04F75A40209BBDB159F90DC89BAEBFB5EF44756F5400A8F909A22A0CB305A80DB95

Function 00BE4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BE4EDD,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BE4EAE
FreeLibrary.KERNEL32(00000000,?,?,00BE4EDD,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00BE4EA8
kernel32.dll, xrefs: 00BE4E94

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e613e5a61f8b264372436e33b1bc0fd6fe0d6e4509ac13e2e43312f646f1b5b2
Instruction ID: 068cf2621e114a9f763123e766b8eb442c7d9b50a9ba7e25f2c31c6c3e93ee75
Opcode Fuzzy Hash: e613e5a61f8b264372436e33b1bc0fd6fe0d6e4509ac13e2e43312f646f1b5b2
Instruction Fuzzy Hash: 47E0CD36E015A35BD3311B266C58B6F66D8EFC1F62B050179FC08D2100DB64CD4185A0

Function 00BE4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C23CDE,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BE4E74
FreeLibrary.KERNEL32(00000000,?,?,00C23CDE,?,00CB1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BE4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00BE4E6E
kernel32.dll, xrefs: 00BE4E5B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: a0c662488c5528c9daf130274f6b674bf218e293a3e0f558420628079e83bbde
Instruction ID: 9be4b8ee60df3c78d0c7b7fac3a3547809684c07af8b68d0c1b0d4721376fe90
Opcode Fuzzy Hash: a0c662488c5528c9daf130274f6b674bf218e293a3e0f558420628079e83bbde
Instruction Fuzzy Hash: D2D0C2329026A35747221B266C18F8F6A58EF89B113490178B808A2110CF20CD42C5D0

Function 00C52947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C52C05
DeleteFileW.KERNEL32(?), ref: 00C52C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C52C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C52CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C52CC0

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: fde980aa90633d4f65fd30e77cea458f9a78e245614f5a7c7666ebf3a6978417
Instruction ID: 51a5e816d2062046bc785c6fb78f07b714f996fff6d470edb59de46f33aa6289
Opcode Fuzzy Hash: fde980aa90633d4f65fd30e77cea458f9a78e245614f5a7c7666ebf3a6978417
Instruction Fuzzy Hash: CBB16075900119ABDF21DBA4CC85EDEB7BDEF09354F0040A6F909E7142EB30AA88DF65

Function 00C6A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00C6A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C6A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C6A468
CloseHandle.KERNEL32(?), ref: 00C6A63D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d29b5fefdd503dc7c2bd5a466612c903856432fff695eede3a29c5807e65cc13
Instruction ID: ae0715ac6360528b87ca003616e2e90c123a406c693cee8c1fc12ea28e305776
Opcode Fuzzy Hash: d29b5fefdd503dc7c2bd5a466612c903856432fff695eede3a29c5807e65cc13
Instruction Fuzzy Hash: BDA1C071604701AFD720DF25C882F2AB7E1AF84714F14885DF5AA9B392DBB0ED45CB92

Function 00C4E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C4CF22,?), ref: 00C4DDFD

Part of subcall function 00C4DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C4CF22,?), ref: 00C4DE16

Part of subcall function 00C4E199: GetFileAttributesW.KERNEL32(?,00C4CF95), ref: 00C4E19A

lstrcmpiW.KERNEL32(?,?), ref: 00C4E473
MoveFileW.KERNEL32(?,?), ref: 00C4E4AC
_wcslen.LIBCMT ref: 00C4E5EB
_wcslen.LIBCMT ref: 00C4E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C4E650

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 7fdfbdc80433c1098e3f2b7f00ff8c6dfea9f0d09ea855c39712dcf521e460c4
Instruction ID: a045e9fcc28f443981de715829c0c9acc74f41728d6a64d7f104ac078cd955b5
Opcode Fuzzy Hash: 7fdfbdc80433c1098e3f2b7f00ff8c6dfea9f0d09ea855c39712dcf521e460c4
Instruction Fuzzy Hash: 8F5152B24083859BC724EB90D881ADF77ECBF84344F00492EF599D3191EF74A688CB66

Function 00C6B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C6C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C6B6AE,?,?), ref: 00C6C9B5
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6C9F1
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6CA68
Part of subcall function 00C6C998: _wcslen.LIBCMT ref: 00C6CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C6BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C6BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C6BB63
RegCloseKey.ADVAPI32(?,?), ref: 00C6BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00C6BBB3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6f53f69b690d934723403445635adfabc50947fd848898969cfa208d2d0601db
Instruction ID: 701fd40a46d7306f9dbed09fc43d0cf744a261ab9553ab7108cd448fe1c5876e
Opcode Fuzzy Hash: 6f53f69b690d934723403445635adfabc50947fd848898969cfa208d2d0601db
Instruction Fuzzy Hash: 8A619331208241AFD724DF54C4D0E2ABBE5FF84348F54859CF4998B2A2DB31ED85DB92

Function 00C48BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C48BCD
VariantClear.OLEAUT32 ref: 00C48C3E
VariantClear.OLEAUT32 ref: 00C48C9D
VariantClear.OLEAUT32(?), ref: 00C48D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C48D3B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8661793f8b4ac87a662e3fa0d12dd77066daad202b3e58f7bf69cfa7e108559e
Instruction ID: 3dab9338245fef5d17e54cb8a5b823ff44033a937bcfaa2e58d5a1988411040e
Opcode Fuzzy Hash: 8661793f8b4ac87a662e3fa0d12dd77066daad202b3e58f7bf69cfa7e108559e
Instruction Fuzzy Hash: B75158B5A0121AEFCB14CF68C894AAEB7F8FF89314B158559E919DB350E730E911CF90

Function 00C58AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C58BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C58BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C58C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C58C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C58C5F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: a8bd433fa2a0ed0d2cb33ff20c8564f83f470c6dbd175bd13ca8d1ed2930a56f
Instruction ID: 95a77d699784cc80bf55a14d32a37cba150442332d1216a85d42324ccc393229
Opcode Fuzzy Hash: a8bd433fa2a0ed0d2cb33ff20c8564f83f470c6dbd175bd13ca8d1ed2930a56f
Instruction Fuzzy Hash: 26514B35A006199FCB15DF65C881E6EBBF5FF48314F088498E849AB362DB31ED95CB90

Function 00C68EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C68F40
GetProcAddress.KERNEL32(00000000,?), ref: 00C68FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C68FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00C69032
FreeLibrary.KERNEL32(00000000), ref: 00C69052

Part of subcall function 00BFF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C51043,?,753CE610), ref: 00BFF6E6
Part of subcall function 00BFF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C3FA64,00000000,00000000,?,?,00C51043,?,753CE610,?,00C3FA64), ref: 00BFF70D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 81e0f42c01e70c7943217e82905abfc8f585c2c839025c6bfbd4e04ef712bc2b
Instruction ID: a006eeb8844ce2fba019c7fabdb14666a7c1a16e83b628991bd0904d7f67e42b
Opcode Fuzzy Hash: 81e0f42c01e70c7943217e82905abfc8f585c2c839025c6bfbd4e04ef712bc2b
Instruction Fuzzy Hash: 21515B35600245DFCB20DF69C4D49ADBBF1FF49314B4481A8E81A9B362DB31EE89CB91

Function 00C76B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C76C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00C76C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C76C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C5AB79,00000000,00000000), ref: 00C76C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C76CC7

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 35581b52b5f0c4671a9f460694c430d53d12583da26f33c6a470d3440ba31811
Instruction ID: 1b2856a2e43285b899447c3be8e83f362173d2ecddcb093b20409d0bc913a1f2
Opcode Fuzzy Hash: 35581b52b5f0c4671a9f460694c430d53d12583da26f33c6a470d3440ba31811
Instruction Fuzzy Hash: CB41E635A04504AFD725CF39CC98FA97BA5EB09360F148268FCADA72E0C771EE41DA40

Function 00C12051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C120C3
_free.LIBCMT ref: 00C120E3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: aea5d7a4c3efd4b5ed9ec221cc7fa4b9c5f80e4d910d48b123d60ef5980f1b92
Instruction ID: bd2dab2e30745d0d94e633c9e1d6a4e2ac6e9cd103660e8a3c208d7238bfd1fd
Opcode Fuzzy Hash: aea5d7a4c3efd4b5ed9ec221cc7fa4b9c5f80e4d910d48b123d60ef5980f1b92
Instruction Fuzzy Hash: 4341FB36A00204AFCB24DF78C881A9DB7F5EF8A314F1545A9E615EB351D731EE51E780

Function 00BF912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF9141
ScreenToClient.USER32(00000000,?), ref: 00BF915E
GetAsyncKeyState.USER32(00000001), ref: 00BF9183
GetAsyncKeyState.USER32(00000002), ref: 00BF919D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d9088202dc2dcac579863e56229fc8f7b4e9a5da165d278719edb9e257920836
Instruction ID: 31da242d5843de1e8c26ca26eb1f433c1ce261ca339da2d103b19da0f55e9d20
Opcode Fuzzy Hash: d9088202dc2dcac579863e56229fc8f7b4e9a5da165d278719edb9e257920836
Instruction Fuzzy Hash: 6B41607190850BFBDF159F64C844BFEB7B4FB05324F208369E529A3290C7306A54DB91

Function 00C53874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C538CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C53922
TranslateMessage.USER32(?), ref: 00C5394B
DispatchMessageW.USER32(?), ref: 00C53955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C53966

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b760152b55f756ca9ef5e8f99eaa887b60c90333d56b566c6de9918ba77f97a1
Instruction ID: ec95c8dcc54fef76fb748daa843d93bfb6b6a0d8af9af47a8d761fc924dbaf21
Opcode Fuzzy Hash: b760152b55f756ca9ef5e8f99eaa887b60c90333d56b566c6de9918ba77f97a1
Instruction Fuzzy Hash: 7A31EAB45043C69EEB35CB359858BBA37E4AB11382F48055DEC76820E0E7B597CCCB15

Function 00C5CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C5C21E,00000000), ref: 00C5CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00C5CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00C5C21E,00000000), ref: 00C5CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C5C21E,00000000), ref: 00C5CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C5C21E,00000000), ref: 00C5CFF2

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: fc8c8f4b8c9926e60a2abf6d303fc0f3e25631593a8b5e1940bf82451d28bd76
Instruction ID: c681890fd7b9af618b42cdd3f0d89c7f498b6f7c37d7198ee82f099e93c14481
Opcode Fuzzy Hash: fc8c8f4b8c9926e60a2abf6d303fc0f3e25631593a8b5e1940bf82451d28bd76
Instruction Fuzzy Hash: 06317F75600306AFDB24DFE5C8C4AAFBBF9EF14352B10456EF916D2111DB30AE889B64

Function 00C41901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C41915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C419C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00C419C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C419DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C419E2

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ab836db9d546b65871a7b11d3fd42ae74b2d6b95f885bc3f922aa21cc1c4cddb
Instruction ID: 06a66cbd8d2a2fed7892ff5d18f7a625a80e99df179ec36bf19105c5e6540e6f
Opcode Fuzzy Hash: ab836db9d546b65871a7b11d3fd42ae74b2d6b95f885bc3f922aa21cc1c4cddb
Instruction Fuzzy Hash: 1931AD71A0021AEFCB04CFA8C999BDE3BB5FB14315F144229FD65AB2D1C7709A94CB90

Function 00C75706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C75745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C7579D
_wcslen.LIBCMT ref: 00C757AF
_wcslen.LIBCMT ref: 00C757BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C75816

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 51f920fb2bd3cc843d2c75b648850ed2eaa59f2e56206b40137b5b15f857cf89
Instruction ID: 212cfbffc7b8419e448245bb298a063eff7b683c69a13e4f971f215ecd19eaef
Opcode Fuzzy Hash: 51f920fb2bd3cc843d2c75b648850ed2eaa59f2e56206b40137b5b15f857cf89
Instruction Fuzzy Hash: D42165759046189ADB209F65CC85AEE7BBCFF04764F10C21AFA2DEA1C0D7B19A85CF50

Function 00C60930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C60951
GetForegroundWindow.USER32 ref: 00C60968
GetDC.USER32(00000000), ref: 00C609A4
GetPixel.GDI32(00000000,?,00000003), ref: 00C609B0
ReleaseDC.USER32(00000000,00000003), ref: 00C609E8

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 30c5372c65ae88b8e3cd56794b7093d12854b6d866ea9b44722a8e5f60959494
Instruction ID: 9865b7d5c0cd44c15f2c1af3b02783c3de0402ac1fcb9c496d44e5f3cb0bb536
Opcode Fuzzy Hash: 30c5372c65ae88b8e3cd56794b7093d12854b6d866ea9b44722a8e5f60959494
Instruction Fuzzy Hash: 0E218135600204AFD714EF65D889BAFBBE5EF44701F14846CF85AA7352DB70AD44DB50

Function 00C1CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C1CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C1CDE9

Part of subcall function 00C13820: RtlAllocateHeap.NTDLL(00000000,?,00CB1444,?,00BFFDF5,?,?,00BEA976,00000010,00CB1440,00BE13FC,?,00BE13C6,?,00BE1129), ref: 00C13852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C1CE0F
_free.LIBCMT ref: 00C1CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C1CE31

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 60fcb5bb25cabe5c1d26286b669ee727279a52b2ed40f0b6fed5526ff50ae2a1
Instruction ID: e90152dec0c333abc5f8f73aaad9f034811c5cfa54b90a9110b016977993822e
Opcode Fuzzy Hash: 60fcb5bb25cabe5c1d26286b669ee727279a52b2ed40f0b6fed5526ff50ae2a1
Instruction Fuzzy Hash: E60184726412157F232116BA6CC9EFF696DEFC7BA1315012DF919C7201EA618E91A1B0

Function 00BF9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BF9693
SelectObject.GDI32(?,00000000), ref: 00BF96A2
BeginPath.GDI32(?), ref: 00BF96B9
SelectObject.GDI32(?,00000000), ref: 00BF96E2

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 31d073545e6983b691a761704883194d6ee03dc67cb345546aa76e0c1c1b9264
Instruction ID: ee88276f64d5b5fdb76d6c98a6752f7013b4b99d7a049e27141b4baf4a6044c6
Opcode Fuzzy Hash: 31d073545e6983b691a761704883194d6ee03dc67cb345546aa76e0c1c1b9264
Instruction Fuzzy Hash: 10217F70C02349EBDB119F24EC647BD3BA8FB10315F54435AF914A71B0D3709899CB94

Function 00C45711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C45726
_memcmp.LIBVCRUNTIME ref: 00C45744
_memcmp.LIBVCRUNTIME ref: 00C45757
_memcmp.LIBVCRUNTIME ref: 00C4576F
_memcmp.LIBVCRUNTIME ref: 00C45787

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4d10cbe7d8eff921487dfb5170df8c9dfa0871acd30ca2baa4a6d88533d80bd8
Instruction ID: 67cf4cee1791b8ab41ab4f4570ce8572aefa6923daed22f59efc0f9002aa777a
Opcode Fuzzy Hash: 4d10cbe7d8eff921487dfb5170df8c9dfa0871acd30ca2baa4a6d88533d80bd8
Instruction Fuzzy Hash: 8101B9A1651605BBE21855119E82FBB735CBB21394F048035FD189A282F760EE52D2B1

Function 00C12DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C0F2DE,00C13863,00CB1444,?,00BFFDF5,?,?,00BEA976,00000010,00CB1440,00BE13FC,?,00BE13C6), ref: 00C12DFD
_free.LIBCMT ref: 00C12E32
_free.LIBCMT ref: 00C12E59
SetLastError.KERNEL32(00000000,00BE1129), ref: 00C12E66
SetLastError.KERNEL32(00000000,00BE1129), ref: 00C12E6F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4ad3e38127165b0766615c4db63db97d0928dca6ac7187fb112e6d7d8d618685
Instruction ID: a75ca0e1b8455c7a843d9b85615f89ecff2f613f75ebd20ac6cee85162d1d7b8
Opcode Fuzzy Hash: 4ad3e38127165b0766615c4db63db97d0928dca6ac7187fb112e6d7d8d618685
Instruction Fuzzy Hash: 9D01F93A24560067C71227356C85FEF1559AFC3376F204028F439A22D3EB348DF27120

Function 00C4000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C3FF41,80070057,?,?,?,00C4035E), ref: 00C4002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C3FF41,80070057,?,?), ref: 00C40046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C3FF41,80070057,?,?), ref: 00C40054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C3FF41,80070057,?), ref: 00C40064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C3FF41,80070057,?,?), ref: 00C40070

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 854fbd77b0caf667b14fc19fc7a157c9fb0ea7503ca9a8a2203a662c285be0d8
Instruction ID: 70597f7ffc3660b325a1b4e23caa8b0b05f8f34bf60ac42520c62694a8e2c81c
Opcode Fuzzy Hash: 854fbd77b0caf667b14fc19fc7a157c9fb0ea7503ca9a8a2203a662c285be0d8
Instruction Fuzzy Hash: CB018F72640205BFDB204F69DC48BAE7BADFB44752F244128FE09D2210D775DE808BA0

Function 00C4E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C4E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00C4E9A5
Sleep.KERNEL32(00000000), ref: 00C4E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00C4E9B7
Sleep.KERNEL32 ref: 00C4E9F3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 02a986aed6aa993bd07f5bc9fd46e22d84f9e42649aae09bac5dc6a7a08af60d
Instruction ID: 0cb0601998e234a487a6fa45ec445d0c373798c4733e2a6cd536ddda69860a81
Opcode Fuzzy Hash: 02a986aed6aa993bd07f5bc9fd46e22d84f9e42649aae09bac5dc6a7a08af60d
Instruction Fuzzy Hash: F6016D31C0152ADBCF00AFE5DC89BEDBB78FF18310F41055AE902B2191CB309691C761

Function 00C410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C41114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C40B9B,?,?,?), ref: 00C41120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C40B9B,?,?,?), ref: 00C4112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C40B9B,?,?,?), ref: 00C41136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C4114D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 49db687e67500d964e2a887bbe3e70553195288508ca53bfba50304ebe8c960c
Instruction ID: e57c405d68be21f6bd9868c4b10e63babb038c8e93fa934c25584b30c0ab064e
Opcode Fuzzy Hash: 49db687e67500d964e2a887bbe3e70553195288508ca53bfba50304ebe8c960c
Instruction Fuzzy Hash: 4E016975200206BFDB114FA4DC89B6E3B6EFF893A1B240428FA49C3360DA31DD808A60

Function 00C40FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C40FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C40FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C40FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C40FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C41002

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7a09fd5650830578f5a6306d31648f2bd1807018e396e1275b940bf4782d4027
Instruction ID: 0310d9da6e25aa0ace15ac2abe8b4bb76b838e497caa2f05e37dad7d094271dc
Opcode Fuzzy Hash: 7a09fd5650830578f5a6306d31648f2bd1807018e396e1275b940bf4782d4027
Instruction Fuzzy Hash: 01F04935200302AFDB214FA4AC89F5A3FADFF89762F544428FA49D6251CA70DC908A60

Function 00C41014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C4102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C41036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C41045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C4104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C41062

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 135a21813f884bd13819b145e77e879bce798ebad9c99d788a0b5eea4fd4aa42
Instruction ID: 9034c0adb334ca084e6a88b05fe405d7dea6c93e5d94fbd6c00e43d099e1f87b
Opcode Fuzzy Hash: 135a21813f884bd13819b145e77e879bce798ebad9c99d788a0b5eea4fd4aa42
Instruction Fuzzy Hash: 2DF06D35200302EBDB215FA4EC89F5A3BADFF89761F140428FE49D7250CA70D9908A60

Function 00C5030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00C5017D,?,00C532FC,?,00000001,00C22592,?), ref: 00C50324
CloseHandle.KERNEL32(?,?,?,?,00C5017D,?,00C532FC,?,00000001,00C22592,?), ref: 00C50331
CloseHandle.KERNEL32(?,?,?,?,00C5017D,?,00C532FC,?,00000001,00C22592,?), ref: 00C5033E
CloseHandle.KERNEL32(?,?,?,?,00C5017D,?,00C532FC,?,00000001,00C22592,?), ref: 00C5034B
CloseHandle.KERNEL32(?,?,?,?,00C5017D,?,00C532FC,?,00000001,00C22592,?), ref: 00C50358
CloseHandle.KERNEL32(?,?,?,?,00C5017D,?,00C532FC,?,00000001,00C22592,?), ref: 00C50365

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9825ba0547688a16bad79577186eb04d03543594da7e16cf59c11f778343d329
Instruction ID: c373249d73083446fbabc050880d571c5a6125c14257b9912f65160eebcaad6e
Opcode Fuzzy Hash: 9825ba0547688a16bad79577186eb04d03543594da7e16cf59c11f778343d329
Instruction Fuzzy Hash: BF01A276800B159FC7309F66D880416F7F5BF503163258A3FD1A692931C371AA98CF84

Function 00C1D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C1D752

Part of subcall function 00C129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000), ref: 00C129DE
Part of subcall function 00C129C8: GetLastError.KERNEL32(00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000,00000000), ref: 00C129F0

_free.LIBCMT ref: 00C1D764
_free.LIBCMT ref: 00C1D776
_free.LIBCMT ref: 00C1D788
_free.LIBCMT ref: 00C1D79A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e31471a3fc3f46d479180814e4daab4ec43a35995c765fbd7249e273f46d5d9c
Instruction ID: 04013d6bbbc786fafb902651152c3d00518902f5f61e5ebd97cab7eb29fa39be
Opcode Fuzzy Hash: e31471a3fc3f46d479180814e4daab4ec43a35995c765fbd7249e273f46d5d9c
Instruction Fuzzy Hash: 78F06232500204AB8621EB68F9C5E9A77DDBB07720F940C05F059DB585CB34FCD0A6E0

Function 00C45C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C45C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C45C6F
MessageBeep.USER32(00000000), ref: 00C45C87
KillTimer.USER32(?,0000040A), ref: 00C45CA3
EndDialog.USER32(?,00000001), ref: 00C45CBD

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 20485cec726b7b94a88a8e751c8df12db0945e58dc384de796d72759315d53f6
Instruction ID: 0db47e601c5fb76078888c100b7acc3e2448b14d2319c121a3edc389e2d96edd
Opcode Fuzzy Hash: 20485cec726b7b94a88a8e751c8df12db0945e58dc384de796d72759315d53f6
Instruction Fuzzy Hash: 73018630500B05ABEB315B20DDCEFAA77B8BB04B45F00055DB597A10E1DBF0AA848B91

Function 00C122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C122BE

Part of subcall function 00C129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000), ref: 00C129DE
Part of subcall function 00C129C8: GetLastError.KERNEL32(00000000,?,00C1D7D1,00000000,00000000,00000000,00000000,?,00C1D7F8,00000000,00000007,00000000,?,00C1DBF5,00000000,00000000), ref: 00C129F0

_free.LIBCMT ref: 00C122D0
_free.LIBCMT ref: 00C122E3
_free.LIBCMT ref: 00C122F4
_free.LIBCMT ref: 00C12305

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ce912f05834b194fc98daf24991913a63a8d59cde890a4d6280a2548eedc3d50
Instruction ID: f4963edf42d89b4be4b12bd3013632d5cc850791cc90ef7616c139ad4169feff
Opcode Fuzzy Hash: ce912f05834b194fc98daf24991913a63a8d59cde890a4d6280a2548eedc3d50
Instruction Fuzzy Hash: 67F05E799001208B8A12AF98BC41BAD3B64F71A770F54070AF810DB3B1C73449B1BFE5

Function 00BF95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00BF95D4
StrokeAndFillPath.GDI32(?,?,00C371F7,00000000,?,?,?), ref: 00BF95F0
SelectObject.GDI32(?,00000000), ref: 00BF9603
DeleteObject.GDI32 ref: 00BF9616
StrokePath.GDI32(?), ref: 00BF9631

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7a0868fefe0dbfda59e97646ed522f77adcd438939d14941f80dbc9258f83577
Instruction ID: 067ff3053a81d6192d093c5c64f4c87997aa8fb2742012910b0806cca7361f2f
Opcode Fuzzy Hash: 7a0868fefe0dbfda59e97646ed522f77adcd438939d14941f80dbc9258f83577
Instruction Fuzzy Hash: AEF03C30805349EBDB225F65ED6C7BC3BA5EB10322F588358F929960F0C7308995DF60

Function 00C10F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C110F9
__freea.LIBCMT ref: 00C11117

Part of subcall function 00C11537: _free.LIBCMT ref: 00C1154F

Strings

a/p, xrefs: 00C111DE
am/pm, xrefs: 00C1117A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 1d25bcedfa4f824bb411704f5c4885dc9157366ee1158bb409f663ccf019288c
Instruction ID: 69852697785faee297c3b3e8dbc95fdaa0acacd02cc4d4a693ce92ebcfd28714
Opcode Fuzzy Hash: 1d25bcedfa4f824bb411704f5c4885dc9157366ee1158bb409f663ccf019288c
Instruction Fuzzy Hash: 28D1DF31900246DACB249F68C845BFEB7B1EF07300F6C4159EF219B664D2799EC1EB91

Function 00C67B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C00242: EnterCriticalSection.KERNEL32(00CB070C,00CB1884,?,?,00BF198B,00CB2518,?,?,?,00BE12F9,00000000), ref: 00C0024D
Part of subcall function 00C00242: LeaveCriticalSection.KERNEL32(00CB070C,?,00BF198B,00CB2518,?,?,?,00BE12F9,00000000), ref: 00C0028A

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C000A3: __onexit.LIBCMT ref: 00C000A9

__Init_thread_footer.LIBCMT ref: 00C67BFB

Part of subcall function 00C001F8: EnterCriticalSection.KERNEL32(00CB070C,?,?,00BF8747,00CB2514), ref: 00C00202
Part of subcall function 00C001F8: LeaveCriticalSection.KERNEL32(00CB070C,?,00BF8747,00CB2514), ref: 00C00235

Strings

Variable must be of type 'Object'., xrefs: 00C67C3A
G, xrefs: 00C67C7F
5, xrefs: 00C67C78

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 2e4a99e49181d400b0f8dd6e39ef08310cbfe11940171dad818f99b2f190764e
Instruction ID: c5dfd8ffabb65e767984eb12565c108dc1263d6fcad22da91cca2a2a31450d0e
Opcode Fuzzy Hash: 2e4a99e49181d400b0f8dd6e39ef08310cbfe11940171dad818f99b2f190764e
Instruction Fuzzy Hash: F7918C70A04209EFCB24EF54D8D19BDB7B1FF44308F108A99F8169B292DB31AE45DB51

Function 00C42716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C421D0,?,?,00000034,00000800,?,00000034), ref: 00C4B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C42760

Part of subcall function 00C4B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C4B3F8

Part of subcall function 00C4B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C4B355
Part of subcall function 00C4B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C42194,00000034,?,?,00001004,00000000,00000000), ref: 00C4B365
Part of subcall function 00C4B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C42194,00000034,?,?,00001004,00000000,00000000), ref: 00C4B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C427CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C4281A

Strings

@, xrefs: 00C42832

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: bf085b7d26f1133d92216f626052483f07d8cd285d7cf99ef7d2a297768c79cd
Instruction ID: a49d5d75d97e5298bdf487862fa5092f3e92533db8f9511c41d8659c52e4498a
Opcode Fuzzy Hash: bf085b7d26f1133d92216f626052483f07d8cd285d7cf99ef7d2a297768c79cd
Instruction Fuzzy Hash: 94411D76900218AFDB10DFA4CD86BDEBBB8BF05700F104099FA55B7191DB70AE85DB61

Function 00C1172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00C11769
_free.LIBCMT ref: 00C11834
_free.LIBCMT ref: 00C1183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00C11760, 00C11767, 00C11796, 00C117CE

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: ca8e6551c911e12c674e5210ad18705eb89c3c9a25eb476ebc2c8d54e24ca2a7
Instruction ID: f08395ccdf7b4b3aaf13d43e405dbba30145ee5a1cf2c1e41167adaddebad5eb
Opcode Fuzzy Hash: ca8e6551c911e12c674e5210ad18705eb89c3c9a25eb476ebc2c8d54e24ca2a7
Instruction Fuzzy Hash: 7E31A075A00218EFDB21DF99D881EDEBBFCEB86310F58416AFD1497251D6748E80EB90

Function 00C4C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C4C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00C4C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CB1990,01116928), ref: 00C4C395

Strings

0, xrefs: 00C4C2DF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9bf3dbd273d6eb08b40a7e1f0e306f9e438d1318924d84d432d459af61e7ed1b
Instruction ID: 616814c92264a3b83382dbe849c89e1e3afec596fac1b668054eae530ba412ae
Opcode Fuzzy Hash: 9bf3dbd273d6eb08b40a7e1f0e306f9e438d1318924d84d432d459af61e7ed1b
Instruction Fuzzy Hash: 01419F312053029FD760DF25D8C4B9ABBE8BF85310F00865DF9A5972A1D770E904DB62

Function 00C74416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C7CC08,00000000,?,?,?,?), ref: 00C744AA
GetWindowLongW.USER32 ref: 00C744C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C744D7

Strings

SysTreeView32, xrefs: 00C7447C

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3537ff07fecf6f973c3b2f696d00efd1086429cb5d2eae9e51abbdf26a6c5a0e
Instruction ID: 84165356bc6cac9176d7a563d71ec953ef25bab26dfc5fee8f0de2a4a5291866
Opcode Fuzzy Hash: 3537ff07fecf6f973c3b2f696d00efd1086429cb5d2eae9e51abbdf26a6c5a0e
Instruction Fuzzy Hash: 2C318F31210205AFDB258E78DC85BEA77A9EB08334F208715F979921E0DB70ED509750

Function 00C6304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C6335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C63077,?,?), ref: 00C63378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C6307A
_wcslen.LIBCMT ref: 00C6309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00C63106

Strings

255.255.255.255, xrefs: 00C63095, 00C6309A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 9f62bc792d5d56891b386225441d1ac274990406023bae2965e293ed78686265
Instruction ID: 7f7ac8a605293a3f2ff3b49c9e730d36bcc76fcd8ddc80e497d27ed281980db8
Opcode Fuzzy Hash: 9f62bc792d5d56891b386225441d1ac274990406023bae2965e293ed78686265
Instruction Fuzzy Hash: 9031C4356042819FCB20CF69C5C5E6A77E0EF55318F248059E9258B392D732DF85C761

Function 00C73EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C73F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C73F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C73F78

Strings

SysMonthCal32, xrefs: 00C73F0B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a56308295873f99eb57cf0b8fb5188f9ea44a0fbe78e6bb4c670d471ae0453c6
Instruction ID: fd60c93ac9a82e7a98bf9bd725d91673fa06b3dd73ea66e53af81f77ad629c49
Opcode Fuzzy Hash: a56308295873f99eb57cf0b8fb5188f9ea44a0fbe78e6bb4c670d471ae0453c6
Instruction Fuzzy Hash: 1B21AD32600259BFDF118E90CC86FEE3B79EB48754F114254FA196B1D0D6B1A9509B90

Function 00C74653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C74705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C74713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C7471A

Strings

msctls_updown32, xrefs: 00C74684

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: dba6817af4b313fd5906aeda9444e93a39add5d7f2da8756f81b63513c97f938
Instruction ID: 1519bed0f8565a10d09230b030fb54f661704614c472070fadb746bea9b38fba
Opcode Fuzzy Hash: dba6817af4b313fd5906aeda9444e93a39add5d7f2da8756f81b63513c97f938
Instruction Fuzzy Hash: 042190B5600209AFDB14DF64DCD1EAB37ADEB8A3A4B044159FA149B251CB30ED11CA60

Function 00C495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C4961D

Strings

#notrayicon, xrefs: 00C495B7
#OnAutoItStartRegister, xrefs: 00C495F3
#requireadmin, xrefs: 00C495D9

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ef795e0ffd2fc4e5ea1a0de57473875fe34d0f20707870173a1428481fa359eb
Instruction ID: 22947ca73e43204290aadb06782b4c89a305f4c4c1d6112190a66994bf4fde0d
Opcode Fuzzy Hash: ef795e0ffd2fc4e5ea1a0de57473875fe34d0f20707870173a1428481fa359eb
Instruction Fuzzy Hash: 53215B7220413166C331AB25EC02FF773D8FF91320F10803AF96997081EB719E45D295

Function 00C737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C73840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C73850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C73876

Strings

Listbox, xrefs: 00C7380F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 1c39e7ad6522c1c427f2bf970c235211f623e976edff28482535b1292faa5fc9
Instruction ID: 6e844a09369ef2b7f354ddbb7de02ec9c47e069ed1ac625b90b62b8b71d9dc6f
Opcode Fuzzy Hash: 1c39e7ad6522c1c427f2bf970c235211f623e976edff28482535b1292faa5fc9
Instruction Fuzzy Hash: B221C272600119BBEF118F54CC85FBB376EEF89754F11C125F9189B190C672DD5297A0

Function 00C549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C54A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C54A5C
SetErrorMode.KERNEL32(00000000,?,?,00C7CC08), ref: 00C54AD0

Strings

%lu, xrefs: 00C54A6F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 9ecad0d46d56a77d256e89dd9fc8caff26b24990e6e48f88ba01f325acd75cbf
Instruction ID: 2771fb1d53cf89cb62bb35c8fcd72e5347838c57b5530c5c710e226504e1d44a
Opcode Fuzzy Hash: 9ecad0d46d56a77d256e89dd9fc8caff26b24990e6e48f88ba01f325acd75cbf
Instruction Fuzzy Hash: 48314F75A00109AFDB10DF64C985EAE7BF8EF08308F1480A9F909DB252D771EE85DB61

Function 00C741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C7424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C74264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C74271

Strings

msctls_trackbar32, xrefs: 00C74226

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2660f5060971f8be5a3c8e3121e6d5b32f029363d76bfe1a35e0a8ebf0c477e9
Instruction ID: 1eaffbca9efd388d42fbb7ec9f1befeb0576535e7d5ef9264765d73d211c55d4
Opcode Fuzzy Hash: 2660f5060971f8be5a3c8e3121e6d5b32f029363d76bfe1a35e0a8ebf0c477e9
Instruction Fuzzy Hash: C411E331240248BFEF205E69CC46FAB3BACEF95B54F114524FA69E2091D371DC619B10

Function 00C42F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE6B57: _wcslen.LIBCMT ref: 00BE6B6A

Part of subcall function 00C42DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C42DC5
Part of subcall function 00C42DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C42DD6
Part of subcall function 00C42DA7: GetCurrentThreadId.KERNEL32 ref: 00C42DDD
Part of subcall function 00C42DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C42DE4

GetFocus.USER32 ref: 00C42F78

Part of subcall function 00C42DEE: GetParent.USER32(00000000), ref: 00C42DF9

GetClassNameW.USER32(?,?,00000100), ref: 00C42FC3
EnumChildWindows.USER32(?,00C4303B), ref: 00C42FEB

Strings

%s%d, xrefs: 00C42FFF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 078283d540e6d27f5544ce70542a915ad32694f49142332df84e605a09d634f2
Instruction ID: f670417d42e809201935fcdb7b311717003675e6ed4e1419359c1619d0f2e509
Opcode Fuzzy Hash: 078283d540e6d27f5544ce70542a915ad32694f49142332df84e605a09d634f2
Instruction Fuzzy Hash: A51172716002456BCF157F758CC6FED37AABF94314F0480B9BD099B152DE709A49DB60

Function 00C75882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C758C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C758EE
DrawMenuBar.USER32(?), ref: 00C758FD

Strings

0, xrefs: 00C7588F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 499ebc7db1b8dc98f299c6bd056e2e85425d7b8d1342b9cad7fb9fce802240d4
Instruction ID: 194388dbad9f0ce97444f3d50c29938288218251607de51db8e087efee8b63f3
Opcode Fuzzy Hash: 499ebc7db1b8dc98f299c6bd056e2e85425d7b8d1342b9cad7fb9fce802240d4
Instruction Fuzzy Hash: D8016D31500219EFDB619F11DC84BAEBBB4FF45360F10C099E94DD6151DB718A85EF21

Function 00C3D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00C3D3BF
FreeLibrary.KERNEL32 ref: 00C3D3E5

Strings

X64, xrefs: 00C3D2A8
GetSystemWow64DirectoryW, xrefs: 00C3D3B9

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 0c91518bd71cb4168f1a40ad0db03d34d8bc49f97cdfd37d687d45c23b39c465
Instruction ID: 93ba23c384a7d5574c85c197bb30b06a4e27f84f6aa52fe5cbcc075feeeea5cc
Opcode Fuzzy Hash: 0c91518bd71cb4168f1a40ad0db03d34d8bc49f97cdfd37d687d45c23b39c465
Instruction Fuzzy Hash: FDF0E5B14656129FD7A16B11AC98A6E3734AF11701F9980A9F01BE7030DB71CF948F52

Function 00C4007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c00cb6e6e77343bec44cffdb83fb8304c3e099a718f03f564eafa0db86d4b03
Instruction ID: bf4801b0861496669fe2f5c52c75ab2a7b61a94be701c4d4fb3108f6f2eb5fc9
Opcode Fuzzy Hash: 7c00cb6e6e77343bec44cffdb83fb8304c3e099a718f03f564eafa0db86d4b03
Instruction Fuzzy Hash: E3C16D75A40206EFDB14CFA4C898BAEB7B5FF48304F208598E515EB251D771EE81DB90

Function 00C13E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C13F0B
__alldvrm.LIBCMT ref: 00C1410C
__alldvrm.LIBCMT ref: 00C1412E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 9fe9f13daac20edf32ae723768999743013e26d6c604a4ce76ce7700faa735dd
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 0EA16A72D00386AFD719CF59C8817EEBBE4EF67354F2841ADE5559B281C2348AC2E750

Function 00C6342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C63459
CoUninitialize.OLE32 ref: 00C63463
VariantInit.OLEAUT32(?), ref: 00C6346E
VariantClear.OLEAUT32(?), ref: 00C6371B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f4fad5b0ef895029697ab5699d0db0a13cce5d81544c2f20e1b0ad99c4d0098b
Instruction ID: 20f9293e46766b9506cfbb6da6e10f1708bf2ad846f331f6a33e7d21e1ed226a
Opcode Fuzzy Hash: f4fad5b0ef895029697ab5699d0db0a13cce5d81544c2f20e1b0ad99c4d0098b
Instruction Fuzzy Hash: CCA147752047409FC710DF29C895A2AB7E5FF88314F04889DF98A9B362DB30EE05CB92

Function 00C40436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C7FC08,?), ref: 00C405F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C7FC08,?), ref: 00C40608
CLSIDFromProgID.OLE32(?,?,00000000,00C7CC40,000000FF,?,00000000,00000800,00000000,?,00C7FC08,?), ref: 00C4062D
_memcmp.LIBVCRUNTIME ref: 00C4064E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e1abbf359eb2bbf8677506445480bf7c75bff428e85ab6a3d3c3b44a239c1546
Instruction ID: d24bfb0ba51cb3c7aec44871a4765791fe560b0420bc0583465b10fa2d65e60a
Opcode Fuzzy Hash: e1abbf359eb2bbf8677506445480bf7c75bff428e85ab6a3d3c3b44a239c1546
Instruction Fuzzy Hash: DA81DB75A00109EFCB04DF94C984EEEB7B9FF89315F204598F616AB250DB71AE46CB60

Function 00C6A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C6A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00C6A6BA

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00C6A79C
CloseHandle.KERNEL32(00000000), ref: 00C6A7AB

Part of subcall function 00BFCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C23303,?), ref: 00BFCE8A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 86d1a1a787713b367acaec1c5d07a1e5864de7c356ae3b962b2898314539e986
Instruction ID: e756175684f54ccae45db7775ce3f9f7be477138e91cccf1063bb82a78bd5f49
Opcode Fuzzy Hash: 86d1a1a787713b367acaec1c5d07a1e5864de7c356ae3b962b2898314539e986
Instruction Fuzzy Hash: 18518D71508340AFD710EF25C886A6FBBE8FF89754F40496DF58997262EB30D944CB92

Function 00C21391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C214C0

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 85735fdd4f91d9f86c376346a39ddba2c99511250cacd84d47d181e217014e75
Instruction ID: c448f5c7caf8183d2c321bcc1caeb35faaabe994e8c6727f31e017e66026f0ce
Opcode Fuzzy Hash: 85735fdd4f91d9f86c376346a39ddba2c99511250cacd84d47d181e217014e75
Instruction Fuzzy Hash: 6F413E35500521ABDB317BBDAC456BE3AA4EF62330F1C4225FC2DD69D1E6748AC1B272

Function 00C76278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C762E2
ScreenToClient.USER32(?,?), ref: 00C76315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C76382

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7af45c509e1eb99295cb70f95d11bc5603e5dd14a0f879e38554d2ef8e5a6e40
Instruction ID: ba1add34d649d6eebeb0a6b4bbc139806c335e9abab25ab1480d076f121188cc
Opcode Fuzzy Hash: 7af45c509e1eb99295cb70f95d11bc5603e5dd14a0f879e38554d2ef8e5a6e40
Instruction Fuzzy Hash: CF514F74A00649EFDF10DF64D881AAE7BB5FF45360F148259F929972A0D730EE81CB50

Function 00C61AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C61AFD
WSAGetLastError.WSOCK32 ref: 00C61B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C61B8A
WSAGetLastError.WSOCK32 ref: 00C61B94

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 3f4eee8ba60849dc7d89f8ae0e07fcde191ff6e87b1c51c40a3cde8452ec5f5f
Instruction ID: 04fac840866a313c09f856ecbbc54249a00a37769f9c98163fb8b7f47b25622f
Opcode Fuzzy Hash: 3f4eee8ba60849dc7d89f8ae0e07fcde191ff6e87b1c51c40a3cde8452ec5f5f
Instruction Fuzzy Hash: C04171746402006FE720AF25C886F2977E5AB84718F58849CFA2A9F3D3D772DD418B90

Function 00C1B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44aaf8f960ef17fdb00c66169235b7f20a22249f70861f95baad4f27e42c2638
Instruction ID: 98b2336549af0d84b78408303bbf0b6153d3cc96579536170ca80e2f7026d51b
Opcode Fuzzy Hash: 44aaf8f960ef17fdb00c66169235b7f20a22249f70861f95baad4f27e42c2638
Instruction Fuzzy Hash: 86412971A00314BFD7249F38CC41BEABBE9EB8A710F10852EF511DB681D3719D81AB90

Function 00C556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C55783
GetLastError.KERNEL32(?,00000000), ref: 00C557A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C557CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C557FA

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: eff10c942da8b96f64c4de365fdc3dda8ff5826a1b7430f077d9ab228cc00571
Instruction ID: dff486197b4ca4b60ae27a265121c08f5ad505157841994c143841504ba0a1d7
Opcode Fuzzy Hash: eff10c942da8b96f64c4de365fdc3dda8ff5826a1b7430f077d9ab228cc00571
Instruction Fuzzy Hash: 38414E39610A50DFCB11DF15C494A5EBBF2EF99321B198488EC5AAB362CB30FD45CB91

Function 00C1D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C06D71,00000000,00000000,00C082D9,?,00C082D9,?,00000001,00C06D71,8BE85006,00000001,00C082D9,00C082D9), ref: 00C1D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C1D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C1D9AB
__freea.LIBCMT ref: 00C1D9B4

Part of subcall function 00C13820: RtlAllocateHeap.NTDLL(00000000,?,00CB1444,?,00BFFDF5,?,?,00BEA976,00000010,00CB1440,00BE13FC,?,00BE13C6,?,00BE1129), ref: 00C13852

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0dc56998cd4ee78953e107ad5b97eab04915ddfe75cb240f10c34304d19621cc
Instruction ID: d0632ff2238b0b55506a464b5900b2eda37d85d58abb481bc5bc6bb0a8dab41e
Opcode Fuzzy Hash: 0dc56998cd4ee78953e107ad5b97eab04915ddfe75cb240f10c34304d19621cc
Instruction Fuzzy Hash: 7531CE72A1020AABDB24DF65DC81EEE7BA5EB42310F054168FC15D7190EB35DE90EBA0

Function 00C752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00C75352
GetWindowLongW.USER32(?,000000F0), ref: 00C75375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C75382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C753A8

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 9a3421f8f5fdf3100af3189d4b80a8572e6d68cb3654fadf8434fc45ade9ca14
Instruction ID: 16af9a11e6ca026ba2224fea4162ca0c8cb888924c63a6ad6c6574826d1f3ece
Opcode Fuzzy Hash: 9a3421f8f5fdf3100af3189d4b80a8572e6d68cb3654fadf8434fc45ade9ca14
Instruction Fuzzy Hash: BB31C334A55A0CEFEB309F24CC56FE837A5AB04390F58C105FA29962F1C7F0AE809B51

Function 00C4AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00C4ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C4AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C4AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00C4ACC6

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e04a91dede7c162a87074a5b83811e7c529e22f2045dc418af03b10d5e86debf
Instruction ID: 3bdd34712fc6609a467f363667b847958d5a47a45a297450fc8b30898fb63ee4
Opcode Fuzzy Hash: e04a91dede7c162a87074a5b83811e7c529e22f2045dc418af03b10d5e86debf
Instruction Fuzzy Hash: D8313570A80719AFEF34CB658C84BFE7BA5BB89310F04431AE4A5931D0C3768A819792

Function 00C77674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C7769A
GetWindowRect.USER32(?,?), ref: 00C77710
PtInRect.USER32(?,?,00C78B89), ref: 00C77720
MessageBeep.USER32(00000000), ref: 00C7778C

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a00cf0e5cd7fb0383b1d54a51e0bc506b2c5baf521723170ea18aa390f77c7ed
Instruction ID: 19454872015ccf7334697863fe2cb122bcdfb523924975e45fcc6da6f7cdb102
Opcode Fuzzy Hash: a00cf0e5cd7fb0383b1d54a51e0bc506b2c5baf521723170ea18aa390f77c7ed
Instruction Fuzzy Hash: 8541AD34A05259EFCB06CF59C894FAD77F5FB48314F1882A8E8289B261C330AA41CF90

Function 00C716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C716EB

Part of subcall function 00C43A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C43A57
Part of subcall function 00C43A3D: GetCurrentThreadId.KERNEL32 ref: 00C43A5E
Part of subcall function 00C43A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C425B3), ref: 00C43A65

GetCaretPos.USER32(?), ref: 00C716FF
ClientToScreen.USER32(00000000,?), ref: 00C7174C
GetForegroundWindow.USER32 ref: 00C71752

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b56b7b1a9a575e98e5b9f6fea0bfc94130be1db42ea344f4df0ad52bba56accf
Instruction ID: d12113a512eff1c0e8dcfe6a553fde8a64dfeff45f594171c7a68f20fd4fcf73
Opcode Fuzzy Hash: b56b7b1a9a575e98e5b9f6fea0bfc94130be1db42ea344f4df0ad52bba56accf
Instruction Fuzzy Hash: E6313275D00149AFC714DFAAC8C1DAEBBF9EF48304B5480AAE429E7251DB31DE45CBA0

Function 00C4DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00BE7620: _wcslen.LIBCMT ref: 00BE7625

_wcslen.LIBCMT ref: 00C4DFCB
_wcslen.LIBCMT ref: 00C4DFE2
_wcslen.LIBCMT ref: 00C4E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C4E018

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 74d248eec4b18b8750f241975da1f9ebee149aefa278990cccfdc83a307db216
Instruction ID: 26e216d6fa453163fc9776ecb73e2d02c1a676f8766f82214e906cce2400f685
Opcode Fuzzy Hash: 74d248eec4b18b8750f241975da1f9ebee149aefa278990cccfdc83a307db216
Instruction Fuzzy Hash: DE21E271900215AFCB20EFA8D881BAEB7F8FF45710F104069E915BB281D7709E41DBA1

Function 00C78FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BF9BB2

GetCursorPos.USER32(?), ref: 00C79001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C37711,?,?,?,?,?), ref: 00C79016
GetCursorPos.USER32(?), ref: 00C7905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C37711,?,?,?), ref: 00C79094

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6b2fbc4063586f8c4945209cdb9b552a6a66f708dccde239a6a57147b91aaae3
Instruction ID: 89f08ec3dc6719e9f915611b86bf82f5526aa7297a216fb9097544a8b2c43557
Opcode Fuzzy Hash: 6b2fbc4063586f8c4945209cdb9b552a6a66f708dccde239a6a57147b91aaae3
Instruction Fuzzy Hash: 37217F35610018EFDB258F95C898FFE7BF9FB89360F148159F91947261C7329A90EB60

Function 00C4D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C7CB68), ref: 00C4D2FB
GetLastError.KERNEL32 ref: 00C4D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C4D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C7CB68), ref: 00C4D376

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 4734866fd679562e8a448dd578e3e2e17df953d22c8128c29ff89a54f8ef2742
Instruction ID: 1345cdf1c459c1b2d3de7e2cd9e2eda17f4b761a38e88eead6b6d5e19ac2fd29
Opcode Fuzzy Hash: 4734866fd679562e8a448dd578e3e2e17df953d22c8128c29ff89a54f8ef2742
Instruction Fuzzy Hash: AB218D705082029F8710EF29C88196E77E4BF56764F504A5DF4AAD32A1D730DE89CB93

Function 00C41571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C41014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C4102A
Part of subcall function 00C41014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C41036
Part of subcall function 00C41014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C41045
Part of subcall function 00C41014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C4104C
Part of subcall function 00C41014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C41062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C415BE
_memcmp.LIBVCRUNTIME ref: 00C415E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C41617
HeapFree.KERNEL32(00000000), ref: 00C4161E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 0c9fdfd7ab855a49a56bc3fd4f852b5e9bb01ee18db2b540e9049b8e131d30fd
Instruction ID: f218a8c893e1f614961c931fc6fd92cf7f3b8152bebf764caea37eb27534a145
Opcode Fuzzy Hash: 0c9fdfd7ab855a49a56bc3fd4f852b5e9bb01ee18db2b540e9049b8e131d30fd
Instruction Fuzzy Hash: 5C219D31E00109EFDF00DFA4C945BEEB7B8FF44354F094459E895AB241E730AA85DBA0

Function 00C72782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00C7280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C72824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C72832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C72840

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b0efbb3eab5d859e85861688b26269a984d404ef7a8a0a143ad5c9f55345ece5
Instruction ID: 826e181cfd1649b3f065f0f77d491e86c05996a97cc375ca5e1ef9e9bd75298c
Opcode Fuzzy Hash: b0efbb3eab5d859e85861688b26269a984d404ef7a8a0a143ad5c9f55345ece5
Instruction Fuzzy Hash: 1F21D031204111AFD7149B24C885FAA7B99EF85324F14C15CF42A8B6E2CB72FD82CBD1

Function 00C478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C4790A,?,000000FF,?,00C48754,00000000,?,0000001C,?,?), ref: 00C48D8C
Part of subcall function 00C48D7D: lstrcpyW.KERNEL32(00000000,?,?,00C4790A,?,000000FF,?,00C48754,00000000,?,0000001C,?,?,00000000), ref: 00C48DB2
Part of subcall function 00C48D7D: lstrcmpiW.KERNEL32(00000000,?,00C4790A,?,000000FF,?,00C48754,00000000,?,0000001C,?,?), ref: 00C48DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C48754,00000000,?,0000001C,?,?,00000000), ref: 00C47923
lstrcpyW.KERNEL32(00000000,?,?,00C48754,00000000,?,0000001C,?,?,00000000), ref: 00C47949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C48754,00000000,?,0000001C,?,?,00000000), ref: 00C47984

Strings

cdecl, xrefs: 00C4797B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ac08619a8f8aa18a05607f8db03a6dddd0f469bc686d41c328fa523101891061
Instruction ID: 549c765d3511b5a1b1fd37dc55af72ae269419e0d9ac370b604c9840b73d23f5
Opcode Fuzzy Hash: ac08619a8f8aa18a05607f8db03a6dddd0f469bc686d41c328fa523101891061
Instruction Fuzzy Hash: 2811263A200342ABCF15AF38D844E7E77E9FFA5350B40412AF906C72A4EB319901C7A1

Function 00C77CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00C77D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C77D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C77D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C5B7AD,00000000), ref: 00C77D6B

Part of subcall function 00BF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BF9BB2

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 68f2a3237d92b9df0bac5a0718960a1fde8d27043cc5efbebb957af88a9bf8fa
Instruction ID: 0ad89dab53c51e9c35d898325ae5f9cb3b34e5d9210371e6348dc8f5d9239fb2
Opcode Fuzzy Hash: 68f2a3237d92b9df0bac5a0718960a1fde8d27043cc5efbebb957af88a9bf8fa
Instruction Fuzzy Hash: CB119D31604659AFCB209F68CC44BAA3BA5AF45360F258728FC3DD72F0D7319A60DB90

Function 00C75660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00C756BB
_wcslen.LIBCMT ref: 00C756CD
_wcslen.LIBCMT ref: 00C756D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C75816

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: d4583dce18d5c70013253d4247fb4e6ac402cba2b0f829d7e1dcfd7c72783008
Instruction ID: 9044e7c8da1bb9c084a00c75ec847020e8608bc28a7e4a997ab3850fad0e1d34
Opcode Fuzzy Hash: d4583dce18d5c70013253d4247fb4e6ac402cba2b0f829d7e1dcfd7c72783008
Instruction Fuzzy Hash: C911D371A0060896DB209F61CC85BEE7BACEF10760F50C12AFA2DD61C1E7B0DA80CB64

Function 00C11D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3302dd6d3d2cbeb80eb6228dfa274ff6f4b49cb840b1bc4d5b0fe7aadae8aef6
Instruction ID: 9a21c4fe52705373aa1ed978feeafe3c52d01f6b51a124d3020c2ef59b6c4db8
Opcode Fuzzy Hash: 3302dd6d3d2cbeb80eb6228dfa274ff6f4b49cb840b1bc4d5b0fe7aadae8aef6
Instruction Fuzzy Hash: A60162B22096167EF71226787CC1FAB661DEF433B8F380329FA31551D2DB648D907160

Function 00C41A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C41A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C41A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C41A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C41A8A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9a7f15806364fba247787ee75803b4c9b16459d1ab7488c4e23455678c50a91b
Instruction ID: 61ab03ac773fdb0148d976acf7baad5a8f15ad4cced76390b241bbde3bf19574
Opcode Fuzzy Hash: 9a7f15806364fba247787ee75803b4c9b16459d1ab7488c4e23455678c50a91b
Instruction Fuzzy Hash: ED115A3AD01219FFEB10DBA4C984FADBB78FB04350F200091EA00B7290C6716E50EB94

Function 00C4E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C4E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00C4E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C4E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C4E24D

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ffb1e11c4002a99910f6c8e210df99dddf86907ddcfcfffa71e07265f6914d63
Instruction ID: eb54f9e36b79086d8cec0ddb3c3639c2ba3d19046135ff7cb0b245a1d7399c07
Opcode Fuzzy Hash: ffb1e11c4002a99910f6c8e210df99dddf86907ddcfcfffa71e07265f6914d63
Instruction Fuzzy Hash: 60110872904215BBC7119BA89C45B9F7FECBB45320F454329F825E3291D6B08E0087A0

Function 00C0D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C0CFF9,00000000,00000004,00000000), ref: 00C0D218
GetLastError.KERNEL32 ref: 00C0D224
__dosmaperr.LIBCMT ref: 00C0D22B
ResumeThread.KERNEL32(00000000), ref: 00C0D249

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 6dc6c4078c63c74086ff600c3401fbb83f5f59a57d0e9e9472e3361252f5850a
Instruction ID: 607bf5b7e04e3f2ab2e06d9f614247156652d43bb822289e28a8a4adb65ce0f3
Opcode Fuzzy Hash: 6dc6c4078c63c74086ff600c3401fbb83f5f59a57d0e9e9472e3361252f5850a
Instruction Fuzzy Hash: 8B014536804205BBCB206BE5DC09BAF3A68EF81331F100228F93A920E0CF70CD81D7A0

Function 00C79EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00BF9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BF9BB2

GetClientRect.USER32(?,?), ref: 00C79F31
GetCursorPos.USER32(?), ref: 00C79F3B
ScreenToClient.USER32(?,?), ref: 00C79F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00C79F7A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 4f364f0aeae38eeb719de519b964e4dc58ee8c87954c9a1554443037b3288395
Instruction ID: 994595f998ee68df74be397f834dae730ada200ecc602db82b70aed7595b9d17
Opcode Fuzzy Hash: 4f364f0aeae38eeb719de519b964e4dc58ee8c87954c9a1554443037b3288395
Instruction Fuzzy Hash: 7511573290051AABDB10EFA8D889EEE77B8FB05311F408455F915E3140D730BB91DBA1

Function 00BE600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BE604C
GetStockObject.GDI32(00000011), ref: 00BE6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BE606A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: da7293e51369d6a3e278de2d1ad490944d2d500d7c5ec8018a4ccf5624bba457
Instruction ID: ce5bd170eb032e544bd19dd2322ec2d75e38ff7be56b25e76b730abd4ba2c48a
Opcode Fuzzy Hash: da7293e51369d6a3e278de2d1ad490944d2d500d7c5ec8018a4ccf5624bba457
Instruction Fuzzy Hash: 5011A172501559BFEF165F959C84FEE7BADEF183A4F040215FA1452011CB32ACA0DB90

Function 00C03B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C03B56

Part of subcall function 00C03AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C03AD2
Part of subcall function 00C03AA3: ___AdjustPointer.LIBCMT ref: 00C03AED

_UnwindNestedFrames.LIBCMT ref: 00C03B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C03B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C03BA4

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d43c95508b000b706e2ae856fa1909efc94d2f603eb73648dd1dcd163e059d5d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 62014072100188BBDF115F95CC42EEB3F6DEF48758F044414FE5856161C732D961EBA0

Function 00C13073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BE13C6,00000000,00000000,?,00C1301A,00BE13C6,00000000,00000000,00000000,?,00C1328B,00000006,FlsSetValue), ref: 00C130A5
GetLastError.KERNEL32(?,00C1301A,00BE13C6,00000000,00000000,00000000,?,00C1328B,00000006,FlsSetValue,00C82290,FlsSetValue,00000000,00000364,?,00C12E46), ref: 00C130B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C1301A,00BE13C6,00000000,00000000,00000000,?,00C1328B,00000006,FlsSetValue,00C82290,FlsSetValue,00000000), ref: 00C130BF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 37944c84ff4e175974d0e3773eed073004b03c06c0475ba92c227c6ba964b789
Instruction ID: bc6b2268b10e97790f5663e67ce2b668251b42b37e723af756c904919d6a39bc
Opcode Fuzzy Hash: 37944c84ff4e175974d0e3773eed073004b03c06c0475ba92c227c6ba964b789
Instruction Fuzzy Hash: 1901FC32301663ABC7314B799C84B9B7BD89F4A765B110624F919E3180D721DA81D7E0

Function 00C47464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C4747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C47497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C474AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C474CA

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 5d9999d58ba20f8b02ad14debd19d661097acb0e67bd0b09e436305801961b3e
Instruction ID: 553fa08ccfaa2fda582c47d4d17c6cf89974b0143b4b39fba2cf046cdf5492c4
Opcode Fuzzy Hash: 5d9999d58ba20f8b02ad14debd19d661097acb0e67bd0b09e436305801961b3e
Instruction Fuzzy Hash: B911ADB1205311ABE7208F14DC48BB67FFCFB00B00F10866DA62AD6191D7B0E944DFA0

Function 00C4B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C4ACD3,?,00008000), ref: 00C4B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C4ACD3,?,00008000), ref: 00C4B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C4ACD3,?,00008000), ref: 00C4B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C4ACD3,?,00008000), ref: 00C4B126

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 9230a73562189fd9e3e684097d5c685870e74e2acd37c741ad642ced58d29ce2
Instruction ID: c97774f918f4aa177cb53d4e665aaa071d64703f340fb55a5980a1e9a7dea48a
Opcode Fuzzy Hash: 9230a73562189fd9e3e684097d5c685870e74e2acd37c741ad642ced58d29ce2
Instruction Fuzzy Hash: 0F115B71C0192DE7CF04AFE5E9987EEBB78FF09711F104099D951B2181CB309A90CB51

Function 00C77E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C77E33
ScreenToClient.USER32(?,?), ref: 00C77E4B
ScreenToClient.USER32(?,?), ref: 00C77E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C77E8A

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a430fe04a290033cf81e6b448d1bb2eeca1bba93b1de60b39c3e7c721ea2f072
Instruction ID: 7274f3ad9bb1b12d4f0c2020475c4d4312d95b19cdc41d0fe9bb4555c0efeb63
Opcode Fuzzy Hash: a430fe04a290033cf81e6b448d1bb2eeca1bba93b1de60b39c3e7c721ea2f072
Instruction Fuzzy Hash: D51144B9D0020AAFDB41DF98D884AEEBBF5FF08310F509156E915E3210D735AA94CF51

Function 00C42DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C42DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C42DD6
GetCurrentThreadId.KERNEL32 ref: 00C42DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C42DE4

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1ed90ae68dc27beb228ac6fe79aa0dd6c45b7d191345244872efac9dd051b2b4
Instruction ID: cd3a47b2554f3831a94973f5e5834cf201f74163b10a9f0dbef73501fed10a8c
Opcode Fuzzy Hash: 1ed90ae68dc27beb228ac6fe79aa0dd6c45b7d191345244872efac9dd051b2b4
Instruction Fuzzy Hash: 8BE01271501625BBD7201B739C8EFEF7E6CFF56BB1F800119F509D10909AA5C981C6B0

Function 00C78863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BF9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BF9693
Part of subcall function 00BF9639: SelectObject.GDI32(?,00000000), ref: 00BF96A2
Part of subcall function 00BF9639: BeginPath.GDI32(?), ref: 00BF96B9
Part of subcall function 00BF9639: SelectObject.GDI32(?,00000000), ref: 00BF96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C78887
LineTo.GDI32(?,?,?), ref: 00C78894
EndPath.GDI32(?), ref: 00C788A4
StrokePath.GDI32(?), ref: 00C788B2

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3198a2d1a32dd29d69768e3d5ac907f69763790c4ef154cb20bf4d47d84ada42
Instruction ID: ffc821e00a922376615cb525c03920abe57df182c95704d41d6dbba3ee5ec205
Opcode Fuzzy Hash: 3198a2d1a32dd29d69768e3d5ac907f69763790c4ef154cb20bf4d47d84ada42
Instruction Fuzzy Hash: 3CF03A36041259BADB126F94AC0DFCE3E59AF06710F448104FB25650E1C7755665CBE5

Function 00BF98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BF98CC
SetTextColor.GDI32(?,?), ref: 00BF98D6
SetBkMode.GDI32(?,00000001), ref: 00BF98E9
GetStockObject.GDI32(00000005), ref: 00BF98F1

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 24610d50ea41fa94060d7629b892f7c983e4f4d277eaf84c63ca219ef52a66e3
Instruction ID: f8cad9d447c39fc71753695eaacbc6cd9a7a7adb60fcd268457a94e3c2f08604
Opcode Fuzzy Hash: 24610d50ea41fa94060d7629b892f7c983e4f4d277eaf84c63ca219ef52a66e3
Instruction Fuzzy Hash: 96E06D31244285ABEB215B78AC49BEC3F60EB12376F14C32DF6FA580E1C3B246809B10

Function 00C4162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C41634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C411D9), ref: 00C4163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C411D9), ref: 00C41648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C411D9), ref: 00C4164F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 41307b1b617f933b2e46d653e8da9aabd475a7294d074c042b027afb4bfc03a8
Instruction ID: 0a506358e34efd90d076052ee90b9b0e7a2505cec25f60d1624c65b880ee39b9
Opcode Fuzzy Hash: 41307b1b617f933b2e46d653e8da9aabd475a7294d074c042b027afb4bfc03a8
Instruction Fuzzy Hash: B3E08631601212DBD7201FA0AD4DB8A3B7CFF447A1F19480CF699D9090D63485C0C7A4

Function 00C3D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C3D858
GetDC.USER32(00000000), ref: 00C3D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C3D882
ReleaseDC.USER32(?), ref: 00C3D8A3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2b72302fdc2359c586eca1bb5dd1e17b6052f520882c7d60640a0ac7d08ee8a3
Instruction ID: 2d75af1cb7fb40293165b5e96519d851438959a7285e507c0e8054803c315c60
Opcode Fuzzy Hash: 2b72302fdc2359c586eca1bb5dd1e17b6052f520882c7d60640a0ac7d08ee8a3
Instruction Fuzzy Hash: 83E01AB0800206DFCB41AFA1D88876DBBF2FB08310F108049F81AE7250CB385985AF80

Function 00C3D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C3D86C
GetDC.USER32(00000000), ref: 00C3D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C3D882
ReleaseDC.USER32(?), ref: 00C3D8A3

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: edad8024a4a507674768a1cb40cf37f13543fdb8e3e936a91d91232009ec2cfc
Instruction ID: 6933cc13cc49540759bc34ace861eb6c06c976a47936aa7049899162d36aaced
Opcode Fuzzy Hash: edad8024a4a507674768a1cb40cf37f13543fdb8e3e936a91d91232009ec2cfc
Instruction Fuzzy Hash: 1BE09A75800205DFCB51AFA1D88876DBBF5BB08311B148449F95AE7250DB3859459F50

Function 00C54D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE7620: _wcslen.LIBCMT ref: 00BE7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C54ED4

Strings

*, xrefs: 00C54E10
LPT, xrefs: 00C54DFB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 632f3747a6dfb561a6136ed8c9de312ee162efab90b283a781a0e0d95808f849
Instruction ID: 4d04edf7cb7f6c51c2f04407856a7b5b0d99623f54828b52e92b81b49b0d9751
Opcode Fuzzy Hash: 632f3747a6dfb561a6136ed8c9de312ee162efab90b283a781a0e0d95808f849
Instruction Fuzzy Hash: 239151799002449FCB18DF99C494EA9BBF1BF44308F148099E81A5F352D771EEC9CB95

Function 00C0E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C0E30D

Strings

pow, xrefs: 00C0E2E5, 00C0E302

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 305de2701be41cb87a45dee299a2a1fa2dcea7670f3c566b4a0e8d79c7760935
Instruction ID: 695742f0cfdc613b4b41125760011c00da9f63485b8baa9e9b68586365e34ce0
Opcode Fuzzy Hash: 305de2701be41cb87a45dee299a2a1fa2dcea7670f3c566b4a0e8d79c7760935
Instruction Fuzzy Hash: 70513A71A4C2069ACB157754D9013FE2FF4AF41740F344EA8E4A5822F9EB348DD1FA86

Function 00BFE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00BFE1B1

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3cbcd824ff2c6a1e030cb11dfeb813bba3cec9c255bc550ed7421e881355cd09
Instruction ID: ff2af06037e09f06d9ba0994cb3ab2e43f06914dfb4f2f91537cc4a1c93a1d02
Opcode Fuzzy Hash: 3cbcd824ff2c6a1e030cb11dfeb813bba3cec9c255bc550ed7421e881355cd09
Instruction Fuzzy Hash: 5E51237590024ADFDB15DF28C481ABE7BE4EF56310F244095F9A19B2E0E730DE46CBA0

Function 00BFF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BFF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BFF2BB

Strings

@, xrefs: 00BFF2AF

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3819c673cabc6110c3a72c6c4fa7dcf0adb95b8f9ed2986a22aa1bb199391e47
Instruction ID: c380c5814f0b89860f6fff86bd8b75cd3c5a12b00b4aa588aa5a57f78db4169e
Opcode Fuzzy Hash: 3819c673cabc6110c3a72c6c4fa7dcf0adb95b8f9ed2986a22aa1bb199391e47
Instruction Fuzzy Hash: 765137714087859BD320AF11EC86BAFBBF8FF84300F81889DF1D941195EB718569CB66

Function 00C65745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C657E0
_wcslen.LIBCMT ref: 00C657EC

Strings

CALLARGARRAY, xrefs: 00C657E6, 00C657EB

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: cdfedff3e8c12556b98dfffb2607587fda1bc0970bc121427545e07214d1ab84
Instruction ID: 5a9f47a3bed5f95161c51a2cff443cf0cf1e38e8eb8a0cc90e73f923a679a1f0
Opcode Fuzzy Hash: cdfedff3e8c12556b98dfffb2607587fda1bc0970bc121427545e07214d1ab84
Instruction Fuzzy Hash: 4141A071A0020A9FCB24DFA9C8C19BEBBF5FF59314F204069E515A7292E7309E85CB90

Function 00C5D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C5D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C5D13A

Strings

|, xrefs: 00C5D10B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 5eb09c4cc7eaf74285c7cd311c0cda24d83a85a98f6aec599d51d4acf1148b04
Instruction ID: b724747b96649a139ac75927d279433e14b54423cf72e795c82de3749cac4817
Opcode Fuzzy Hash: 5eb09c4cc7eaf74285c7cd311c0cda24d83a85a98f6aec599d51d4acf1148b04
Instruction Fuzzy Hash: 37313E75D00209ABCF15EFA5CC85AEF7FB9FF14350F000059F815A61A1DB31AA46DB64

Function 00C7356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C73621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C7365C

Strings

static, xrefs: 00C735BC

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f73a3b011761f68c8f0aea90982c6cd4439c98ab603636643bf4b319c32521f8
Instruction ID: 1f35f99e260390904357b8500b792041b547cc2caf8b6d0dbcdfcfe1a31346e5
Opcode Fuzzy Hash: f73a3b011761f68c8f0aea90982c6cd4439c98ab603636643bf4b319c32521f8
Instruction Fuzzy Hash: 94318B71110244AADB109F78DC80FFB73A9FF88720F10C619F9A997290DA31AE81E764

Function 00C74537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00C7461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C74634

Strings

', xrefs: 00C7458E

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 20046dff56681c2af71e38669c027cc411da4961aa77c482cd7802d6fdf871b4
Instruction ID: f747621990920651eae308dbdf39d83d2dbe719ae5dc66ec68331c48582a0b4c
Opcode Fuzzy Hash: 20046dff56681c2af71e38669c027cc411da4961aa77c482cd7802d6fdf871b4
Instruction Fuzzy Hash: 39313874A0020A9FDB18CFA9C991BDA7BB5FF09300F14806AE918AB351D770EA41CF90

Function 00C731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C7327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C73287

Strings

Combobox, xrefs: 00C73249

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 98da8161a47b1ab86e5013a6b3f2d1144f59a32a5c57e9e0366cdce1bf585bc1
Instruction ID: ce6bc76fd8258dbf87c02d7f0d104e4de926e4123299274c1148592db0a657ef
Opcode Fuzzy Hash: 98da8161a47b1ab86e5013a6b3f2d1144f59a32a5c57e9e0366cdce1bf585bc1
Instruction Fuzzy Hash: FB11B6713001497FEF159E54DC84FBB3B6AEB583A4F108128F92C97292D6319E519760

Function 00C73710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BE600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BE604C
Part of subcall function 00BE600E: GetStockObject.GDI32(00000011), ref: 00BE6060
Part of subcall function 00BE600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BE606A

GetWindowRect.USER32(00000000,?), ref: 00C7377A
GetSysColor.USER32(00000012), ref: 00C73794

Strings

static, xrefs: 00C73757

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f29af8d8a2a89ea7940cddbb2c6f832e9f7be632b63021c5a1b3a86db6934717
Instruction ID: e8e5d31291bed66385bbf2d1c03cd451f89aac175ba02cec23e7bbb983182c08
Opcode Fuzzy Hash: f29af8d8a2a89ea7940cddbb2c6f832e9f7be632b63021c5a1b3a86db6934717
Instruction Fuzzy Hash: BB1129B261020AAFDB00DFB8CD85EEE7BB8FB08354F018918F969E2250D735E9519B50

Function 00C5CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C5CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C5CDA6

Strings

<local>, xrefs: 00C5CD66

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d4b7cd31f648cf9db4c6882ed6f6738b24dafdd465d4d252085f6548a820c3e3
Instruction ID: 128ba4308312f3f73ac45159a6be9603596f8704b790ba5cffc9e4f791138d6f
Opcode Fuzzy Hash: d4b7cd31f648cf9db4c6882ed6f6738b24dafdd465d4d252085f6548a820c3e3
Instruction Fuzzy Hash: 9A11A3792057367ED7284B668CC5FE7BEB8EB127A5F00422AF919C2080D6609998D6F4

Function 00C73429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C734AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C734BA

Strings

edit, xrefs: 00C7348F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 197d2609bae3371d83f0a874dcd2c15769ee89f3b36ffb4eb34227613c5a26d1
Instruction ID: 6023c0038ef44ff1253cc7063b25c4a97575b217fd4f4fa4f1bdaadd7650093f
Opcode Fuzzy Hash: 197d2609bae3371d83f0a874dcd2c15769ee89f3b36ffb4eb34227613c5a26d1
Instruction Fuzzy Hash: 4911BF71200148ABEB164E64DC84BAB3B6AEB14374F508724FA79931D0C732DE91AB50

Function 00C46C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00C46CB6
_wcslen.LIBCMT ref: 00C46CC2

Strings

STOP, xrefs: 00C46CBC, 00C46CC1

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1caff7ef80adc3b1cec74ee3ea9f4c49cb333bf8abb9dbf54dbe9c345f99f10f
Instruction ID: 6dc85898278a9ff865e19b982f2708c516dbf02041216c5cd5be879711e9b5bb
Opcode Fuzzy Hash: 1caff7ef80adc3b1cec74ee3ea9f4c49cb333bf8abb9dbf54dbe9c345f99f10f
Instruction Fuzzy Hash: 5501C032A105278ACB20AFFEDCC09BF77F9FF627147500928E86296198EB31DE40C651

Function 00C41CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C43CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C41D4C

Strings

ComboBox, xrefs: 00C41CEB
ListBox, xrefs: 00C41D16

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 312ed86e94e3afc59a1b8be3e58638c44b7a442a9cc9c9349ed693767a24dad9
Instruction ID: a270aada65aabe54d55134bc7e36f0c1b9f73f841c6250698610eca919c4fee8
Opcode Fuzzy Hash: 312ed86e94e3afc59a1b8be3e58638c44b7a442a9cc9c9349ed693767a24dad9
Instruction Fuzzy Hash: 9001D871A41215AB8B15FFA5CC51DFE77A8FB46390B140A19FC72573D1EB30594C8660

Function 00C41BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C43CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C41C46

Strings

ComboBox, xrefs: 00C41BE5
ListBox, xrefs: 00C41C10

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c61a9ec783245aaeb47b8d61ca75285f53ac2685bf7a14d3e482c6cdee40fed4
Instruction ID: 971ad51796eac13c33c6d8676418ce79222a7605aec0d2380d1de8138b7e2ccd
Opcode Fuzzy Hash: c61a9ec783245aaeb47b8d61ca75285f53ac2685bf7a14d3e482c6cdee40fed4
Instruction Fuzzy Hash: 0901A77568115967CB14FB91CD91AFF77E8AB52380F140019BC5667281EA209F4C96B1

Function 00C41C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C43CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C41CC8

Strings

ComboBox, xrefs: 00C41C69
ListBox, xrefs: 00C41C94

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bf25f535854a25fe86eb8f19fbb7b7febe6674e245c4c6a3415fcac17e570552
Instruction ID: f2eb340ccd64a38eefb36c4a4be6ed07dfffe2d706a0131ba0f7e2a6bcb91538
Opcode Fuzzy Hash: bf25f535854a25fe86eb8f19fbb7b7febe6674e245c4c6a3415fcac17e570552
Instruction Fuzzy Hash: 9C01D67169015967CB14FBA5CE81AFE77E8AB12380F580019BC4273281FA209F8CD671

Function 00C41D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9CB3: _wcslen.LIBCMT ref: 00BE9CBD

Part of subcall function 00C43CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C43CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C41DD3

Strings

ComboBox, xrefs: 00C41D75
ListBox, xrefs: 00C41DA0

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a0e6509345eefbec47f71358e940b1402fbab1dbbf0d3248108ef61e71b67e8e
Instruction ID: cb619febd808e54cee4bb0289f2249267688e4d3fb31847339d353f5c919f2e6
Opcode Fuzzy Hash: a0e6509345eefbec47f71358e940b1402fbab1dbbf0d3248108ef61e71b67e8e
Instruction Fuzzy Hash: 5CF0A4B1F5121567DB15F7A5CC92BFE77A8BB02390F580919BC62632C1EB605A4C8260

Function 00C6747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C67493
_wcslen.LIBCMT ref: 00C674B9

Strings

3, 3, 16, 1, xrefs: 00C67483

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 8e99bf54cdb2714123404209552a80b11ddd034015c2bc03f9b90b06fb9cf723
Instruction ID: 5f0bc55c41dfbfc391c99c332750036c401053e052e12653e4c348ff989dc9bd
Opcode Fuzzy Hash: 8e99bf54cdb2714123404209552a80b11ddd034015c2bc03f9b90b06fb9cf723
Instruction Fuzzy Hash: D0E02B4220522010D23512799CC5A7F568DDFC5B507101D3BFE81C22A6EE948E91E3A0

Function 00C40B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C40B23

Strings

AutoIt, xrefs: 00C40B17
Error allocating memory., xrefs: 00C40B1C

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1af4756d196d5af4bd9f4978c1782048699bb5563a21249207bafa84445012dc
Instruction ID: 17def4ef2e1d87eb08d66965705fd479b0c6737ba283981ff61cfbee678ab522
Opcode Fuzzy Hash: 1af4756d196d5af4bd9f4978c1782048699bb5563a21249207bafa84445012dc
Instruction Fuzzy Hash: 11E0D83228430A26D21436547C43F997BC49F05B65F10447EFB5C594C38AE1649046A9

Function 00C00D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BFF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C00D71,?,?,?,00BE100A), ref: 00BFF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00BE100A), ref: 00C00D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BE100A), ref: 00C00D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C00D7F

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 4ea7b1e6a04a4fc0c669378b15698eba070628fefd3f1ada723f85a732ea57f6
Instruction ID: 433ad7cdd989c985f5c124404aeeb582e943f8eab71377edcc4ac891155bd96c
Opcode Fuzzy Hash: 4ea7b1e6a04a4fc0c669378b15698eba070628fefd3f1ada723f85a732ea57f6
Instruction Fuzzy Hash: 96E092B02007428BD330AFB9E8483567BE0BF00740F01896DE49AC7692EBF4E584CBA1

Function 00C53017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C5302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C53044

Strings

aut, xrefs: 00C53038

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 65b0b80d368839094b786713b6dbe1ca5a96e7a9a885a887426c395431bf2428
Instruction ID: 3b4abac032d65c42cc39de1cfb0c1f2ba1f88aaf2c0af547f0b2746c8dd22875
Opcode Fuzzy Hash: 65b0b80d368839094b786713b6dbe1ca5a96e7a9a885a887426c395431bf2428
Instruction Fuzzy Hash: C0D05EB250032967DB20A7A4AC4EFCB3A6CDB05750F0002A1B669E2092DAB49E84CBD0

Function 00C3D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C3D220

Strings

X64, xrefs: 00C3D2A8
%.3d, xrefs: 00C3D22B

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 1c86ad74fe65bc182f7e20cf97f91209889a99eb0d4a2d04cfb6bcef6a83388f
Instruction ID: f1ae9f8b66fb74b204dacc163fb01888bbd72a46b193df453f3967abc1779121
Opcode Fuzzy Hash: 1c86ad74fe65bc182f7e20cf97f91209889a99eb0d4a2d04cfb6bcef6a83388f
Instruction Fuzzy Hash: 52D012A1819109E9CB9096E1EC859BBB3BCBB08301F6084A2F907D2041D635C9586B61

Function 00C72356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C7236C
PostMessageW.USER32(00000000), ref: 00C72373

Part of subcall function 00C4E97B: Sleep.KERNEL32 ref: 00C4E9F3

Strings

Shell_TrayWnd, xrefs: 00C72365

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 467bb938c448cd4bf03b63ab7a3a6819c2beb718d23bde9e67b4c204d472de86
Instruction ID: 0427e3e46c4a6f69bf612512923a63f11ff3b9795c7a40047d0088e65e961fd2
Opcode Fuzzy Hash: 467bb938c448cd4bf03b63ab7a3a6819c2beb718d23bde9e67b4c204d472de86
Instruction Fuzzy Hash: AFD012327D5311BBE7A4B771EC8FFCA7A18AB15B14F01491AB749EA1D0C9F0B881CA54

Function 00C72322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C7232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C7233F

Part of subcall function 00C4E97B: Sleep.KERNEL32 ref: 00C4E9F3

Strings

Shell_TrayWnd, xrefs: 00C72325

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1975d0dd01d6d62883cfaed66cf05867cb03b8607c9f84723d822fc36dffa970
Instruction ID: 010e1554d40dfa0acc9bdb22c730637c602a258399aee1dc044b4b18e02eb558
Opcode Fuzzy Hash: 1975d0dd01d6d62883cfaed66cf05867cb03b8607c9f84723d822fc36dffa970
Instruction Fuzzy Hash: A8D01236794311B7E7A4B771EC8FFCA7A18AB10B14F01491AB749EA1D0C9F0A881CA54

Function 00C1BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C1BE93
GetLastError.KERNEL32 ref: 00C1BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C1BEFC

Memory Dump Source

Source File: 00000000.00000002.1674832347.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1674819063.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000C7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674881588.0000000000CA2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674917862.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674931715.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 72146adacb8a9aa8bba8dc5d877b86fc328a7dd0a8519b2563da3c4af11a52d0
Instruction ID: 056c6f095578f4cf14e5289b7b2e5bb65049e1b7e807f6e5bd4336f1e7d9077f
Opcode Fuzzy Hash: 72146adacb8a9aa8bba8dc5d877b86fc328a7dd0a8519b2563da3c4af11a52d0
Instruction Fuzzy Hash: 2141A638604206EFCF219FA5CD44BEA7BA59F43310F144169F969571E1DB308E82EF60

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 178.79.238.128
Source: unknown	TCP traffic detected without corresponding DNS query: 178.79.238.128
Source: unknown	TCP traffic detected without corresponding DNS query: 178.79.238.128
Source: unknown	TCP traffic detected without corresponding DNS query: 178.79.238.128
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-876195964&timestamp=1727822227278 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=P90Z9-rXxK8_-E7wu12zzGdvRWxsnY-_leVqqQoS-pzJEQClsVY9q37cPJQwB3Clkppog8Xo3b4nQUyA0S0tdsBntGuTqKWxk61G_KZvzykkWuVE7dfrgb4ExK0B_4VDfDKKhoyy_25j323J--R478_pDvzbMPDCnKJaoZSfC8OJpCNyDQ
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gGA4BVfGXFGsMWA&MD=2z9Zt9P4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gGA4BVfGXFGsMWA&MD=2z9Zt9P4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 00BE42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00BE42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00C22BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00C4D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 00C4DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 00C6AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00BE2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00C2065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00BE344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00BE2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00BE3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre