Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524436
MD5:	1cc0eec2a3105dbf316fdc0fbaac2bc9
SHA1:	5edd2ae6665330de970ac886d99242da9afdc2cd
SHA256:	4e0d0b1dfb20de40249c8015e0b85ae809cdea9fe4191101eccf19448511b115
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1CC0EEC2A3105DBF316FDC0FBAAC2BC9)

taskkill.exe (PID: 7648 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7712 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7980 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8176 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7416 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7632	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_87.4.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_87.4.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.1699005281.0000000001098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_84.4.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_87.4.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_88.4.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_84.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_84.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_87.4.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_88.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_87.4.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_88.4.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_88.4.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_88.4.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_88.4.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_88.4.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_88.4.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_88.4.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_88.4.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_88.4.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_84.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_87.4.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_88.4.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_87.4.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_84.4.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_87.4.dr	String found in binary or memory: https://www.google.com
Source: chromecache_88.4.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_84.4.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_84.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_84.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_84.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_84.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_84.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_88.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_88.4.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.1678003373.00000000005B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_88.4.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 62752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62750
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 62748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62752
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62749
Source: unknown	Network traffic detected: HTTP traffic on port 62749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:62750 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_007EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007EED6A

Source: C:\Users\user\Desktop\file.exe

0_2_007EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_007DAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00809576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00809576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1664608483.0000000000832000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0ae955cd-4
Source: file.exe, 00000000.00000000.1664608483.0000000000832000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2b9b836c-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_da86bdb6-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_71711395-f

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_007DD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_007D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007DE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00778060	0_2_00778060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E2046	0_2_007E2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D8298	0_2_007D8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AE4FF	0_2_007AE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A676B	0_2_007A676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00804873	0_2_00804873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077CAF0	0_2_0077CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079CAA0	0_2_0079CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078CC39	0_2_0078CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A6DD9	0_2_007A6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078B119	0_2_0078B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007791C0	0_2_007791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00791394	0_2_00791394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00791706	0_2_00791706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079781B	0_2_0079781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078997D	0_2_0078997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00777920	0_2_00777920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007919B0	0_2_007919B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00797A4A	0_2_00797A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00791C77	0_2_00791C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00797CA7	0_2_00797CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FBE44	0_2_007FBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A9EEE	0_2_007A9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00791F32	0_2_00791F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00790A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0078F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@34/32@14/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E37B5 GetLastError,FormatMessageW,

0_2_007E37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D10BF AdjustTokenPrivileges,CloseHandle,		0_2_007D10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007D16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007E51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_007FA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_007E648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007742A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00790A76 push ecx; ret

0_2_00790A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0078F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00801C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95891

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007DDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E68EE FindFirstFileW,FindClose,	0_2_007E68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_007E698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007DD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007DD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007E9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007E979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_007E9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_007E5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007742DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007EEAA2 BlockInput,

0_2_007EEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_007A2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00794CE8 mov eax, dword ptr fs:[00000030h]

0_2_00794CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_007D0B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007A2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0079083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007909D5 SetUnhandledExceptionFilter,	0_2_007909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00790C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00790C21

Source: C:\Users\user\Desktop\file.exe

0_2_007D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_007B2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007DB226 SendInput,keybd_event,

0_2_007DB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007F22DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_007D0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_007D1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00790698 cpuid

0_2_00790698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_007E8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CD27A GetUserNameW,

0_2_007CD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007ABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_007ABB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007742DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7632, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7632, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_007F1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.142	true	false	unknown
www3.l.google.com	142.250.184.238	true	false	unknown
play.google.com	142.250.184.206	true	false	unknown
www.google.com	142.250.186.132	true	false	unknown
youtube.com	142.250.184.238	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_88.4.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_88.4.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_84.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_87.4.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_87.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_87.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_84.4.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_87.4.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_88.4.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_88.4.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_87.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_87.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.18.4	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
142.250.186.132	www.google.com	United States	15169	GOOGLEUS	false
142.250.184.238	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.184.206	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524436
Start date and time:	2024-10-02 19:23:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@34/32@14/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 39 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.227, 216.58.206.46, 66.102.1.84, 34.104.35.123, 172.217.23.99, 142.250.186.163, 142.250.185.234, 142.250.186.170, 142.250.184.234, 172.217.18.10, 142.250.185.138, 172.217.16.202, 142.250.185.202, 142.250.186.42, 142.250.181.234, 142.250.185.170, 142.250.186.74, 142.250.186.106, 142.250.184.202, 142.250.185.106, 216.58.212.170, 216.58.206.42, 172.217.18.106, 142.250.74.202, 216.58.206.74, 172.217.23.106, 142.250.186.138, 93.184.221.240, 192.229.221.95, 74.125.71.84, 142.250.186.78
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://kfdsh.org/frrgde?e=	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://kfdsh.org/frrgde?e=	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1652
Entropy (8bit):	5.269909938363071
Encrypted:	false
SSDEEP:	48:o72ZrNZDuZW4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyRuZMNAY+1i4HoBNG2Ilw
MD5:	63E5B24335CCDC457DD0B69AD1891CF9
SHA1:	8DD3AED0737BEDBEE133BA564D3CA43579A138F7
SHA-256:	FB72BE79F85659D5AF831FD644C4702EA5BFC6E6A90CDB156DE0816B179278C0
SHA-512:	EC3A143FED571A7FC490433F11DDBD66752E42F0BAC476F79F9B8310DB0419CAE2B8CD65F1283D590F5979F4CC1FB8B2610F106BF38E0B93F384201B8BF5E5DA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=xUdipf,OTA3Ae,A1yn5d,fKUV3e,aurFic,Ug7Xab,NwH0H,OmgaI,gychg,w9hDv,EEDORb,Mlhmy,ZfAoz,kWgXee,ovKuLd,yDVVkb,ebZ3mb,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791086230020914
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Nfd8j91/N
MD5:	1A3606C746E7B1C949D9078E8E8C1244
SHA1:	56A3EB1E93E61ACD7AAD39DC3526CB60E23651B1
SHA-256:	5F49AE5162183E2EF6F082B29EC99F18DB0212B8ADDB03699B1BFB0AC7869742
SHA-512:	F2D15243311C472331C5F3F083BB6C18D38EC0247A3F3CBAFD96DBA40E4EAE489CDA04176672E39FE3760EF7347596B2A5EAB0FB0125E881EF514475C99863B9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1416
Entropy (8bit):	5.275155058463166
Encrypted:	false
SSDEEP:	24:kMYD7hqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87O/BprGJ:o7hv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4DB6842CDFAC9E03D7C1CF87E398B357
SHA1:	08158AB8F5947E048C88A1289E9E8CE9641B7CE9
SHA-256:	8991D23B586608AE114E150355FF192B30A379EAB1DC3F1444109DDC52B13AC1
SHA-512:	FB7C461DFB96B10E099C3BA41C45AA904BB7D473EF0D44BD6A2E841BC44336DD5F1C9B73919B79A6BF4AA13B806E742F2003A16528E995374E210BB4C3E96EFA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e){if($Za)if(e instanceof _.lf){if(!e.status\|\|

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZfAoz,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2544)
Category:	downloaded
Size (bytes):	358799
Entropy (8bit):	5.624587482410481
Encrypted:	false
SSDEEP:	6144:T/wM8RGYcBlKmhCxiDlnc0pYMSrBg5X3rU:TD8XxEdA
MD5:	A51DFF6CB98C15CBA0A2B688CC0A862F
SHA1:	5CF15DBD322A0F9CF3A820013E185EC2EDD56BB0
SHA-256:	854215C9FE46B6029883F37C44512F7EB10BA97FC7A623C237DC6824BD92DB1E
SHA-512:	D1036F2C4AE71BE22315D5AEC062E1D59EA2570D7138B97F367149C9622BEE35EAC1DBE9818AC7BE107D88683089EBE220951D025CC11908055B108B27D7BD86
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,EFQ78c,EIOG1e,GwYlN,I6YDgd,IZT63,K0PMbc,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,y5vRwf,zbML3c,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3190)
Category:	downloaded
Size (bytes):	339747
Entropy (8bit):	5.53363647964667
Encrypted:	false
SSDEEP:	3072:Vuv7kVKtaVFuzDXG6ZfzeelpRv9xqjne01T2HemAIaDlC6diGVOY50UlRQQIBeDq:svaKtM6ZfTxene0F2HemAaGP6BBe2
MD5:	D2D05D80ACF53F04C1BEB6A387216F5E
SHA1:	6E8B87D352419E28C5F8E3881787DC6C56CEB26E
SHA-256:	4BA0D4EA27446C609D515539A334E3B16A4AC7BF936A996CF7E3927FFDDD569F
SHA-512:	966582697B455B2DDC52210A0F46EFD77EDC67D668E7FC2F14E18DF38E8595472AB76ED17B9D2928E16FA987E3231C2A45D9BD52D9DC2CE7E4C394E2453518E6
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".EE6QGf{border-bottom-style:solid;border-bottom-width:1px;padding:16px;width:100%;z-index:6;background:#fff;background:var(--gm3-sys-color-surface-container-lowest,#fff);border-color:#c4c7c5;border-color:var(--gm3-sys-color-outline-variant,#c4c7c5);display:block;position:relative}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:inherit}@media (min-width:600px){.EE6QGf{align-items:center;display:flex;left:0;position:fixed;top:0}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:150px}}@media (min-width:600px) and (orientation:landscape){.EE6QGf{display:block;position:relative}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:inherit}}@media (min-width:960px) and (orientation:landscape){.EE6QGf{align-items:center;display:flex;left:0;position:fixed;top:0}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:150px}}.PZB4Lc{display:flex;width:100%}.YLIzab{font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1rem;font-weight:500;letter-spacing:0rem;line-height:1

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,iAskyc,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,iAskyc,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582478564789801
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	1cc0eec2a3105dbf316fdc0fbaac2bc9
SHA1:	5edd2ae6665330de970ac886d99242da9afdc2cd
SHA256:	4e0d0b1dfb20de40249c8015e0b85ae809cdea9fe4191101eccf19448511b115
SHA512:	fa5aea0be6f2a6b6eebc28c51fb8e6d5798df79a7b27df7e208a0e4984292242255dd54c94a1bee338034151f9817eaa36103cb537d61a9d35a11ef33cd1d39d
SSDEEP:	12288:DqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaBTG:DqDEvCTbMWu7rQYlBQcBiT6rprG8aVG
TLSH:	DB159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD8129 [Wed Oct 2 17:21:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA1D08BFFD3h
jmp 00007FA1D08BF8DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA1D08BFABDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA1D08BFA8Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA1D08C267Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA1D08C26C8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA1D08C26B1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9944	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9944	0x9a00	0d02492706b10f5353a260827c305701	False	0.3037997159090909	data	5.281111615804736	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xc0c	data			1.0035667963683528
RT_GROUP_ICON	0xdd3c4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd43c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd450	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd464	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd478	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd554	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:24:03.353795052 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:03.353832960 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:03.353880882 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:03.355113029 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:03.355149031 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:03.990503073 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:03.992302895 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:03.992316008 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:03.992679119 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:03.992733002 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:03.993516922 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:03.993556023 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:03.995837927 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:03.995898008 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:03.997369051 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:03.997379065 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:04.038039923 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:04.285315990 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:04.285516024 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:04.285573959 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:04.286350965 CEST	49732	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:04.286364079 CEST	443	49732	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:04.298224926 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:04.298249960 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:04.298306942 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:04.298671961 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:04.298686981 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:04.350543976 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 2, 2024 19:24:05.019434929 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.043402910 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.043435097 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.044826031 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.045908928 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.047302961 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.047406912 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.049241066 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.049241066 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.049264908 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.049433947 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.101558924 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.101581097 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.147429943 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.322061062 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.322118998 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.322210073 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.322222948 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.322288990 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:05.322817087 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.324707031 CEST	49736	443	192.168.2.4	142.250.185.142
Oct 2, 2024 19:24:05.324722052 CEST	443	49736	142.250.185.142	192.168.2.4
Oct 2, 2024 19:24:07.236485958 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:07.236504078 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:07.236557961 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:07.236767054 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:07.236778021 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:07.821887016 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:07.821928978 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:07.821991920 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:07.823550940 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:07.823574066 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:07.890825987 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:07.891314983 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:07.891382933 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:07.892271996 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:07.892337084 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:07.893369913 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:07.893431902 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:07.946033001 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:07.946052074 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:07.992917061 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:08.484481096 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:08.484553099 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.488857985 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.488874912 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:08.489306927 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:08.539752960 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.560575962 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.607429028 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:08.749891996 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:08.750063896 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:08.750140905 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.750236034 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.750236988 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.750287056 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:08.750315905 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:08.795494080 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.795598984 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:08.795819044 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.796053886 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:08.796094894 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:09.462654114 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:09.462802887 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:09.465389013 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:09.465437889 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:09.465956926 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:09.467271090 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:09.511396885 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:09.743221045 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:09.743319035 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:09.746588945 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:09.996844053 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:09.996874094 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:09.996891975 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 2, 2024 19:24:09.996900082 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 2, 2024 19:24:12.492230892 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:12.492275953 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:12.492341995 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:12.493601084 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:12.493616104 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.214219093 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.214557886 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.214586020 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.215151072 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.215219021 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.216218948 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.216281891 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.217449903 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.217544079 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.217645884 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.217660904 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.273056030 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.537508965 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.537606001 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.537620068 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:13.537653923 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.537657976 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.537681103 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:13.537689924 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.537719965 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.537754059 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:13.541980028 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:13.542021036 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:13.543201923 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.543258905 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.543287992 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.549487114 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.549527884 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.549552917 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.549577951 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.549618959 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.555835009 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.555887938 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.562164068 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.562207937 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.562247992 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.562271118 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.562311888 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.612762928 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:13.612807035 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:13.613032103 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:13.613225937 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:13.613240004 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:13.633083105 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.633152008 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.633202076 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.633244991 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.633284092 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.633302927 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.633304119 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.633304119 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.633337021 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.633378029 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.638808966 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.638922930 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.645514965 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.645567894 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.645586967 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.668560982 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.668608904 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.668637991 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.668643951 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.668672085 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.668689966 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.673973083 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:13.674037933 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.674123049 CEST	49759	443	192.168.2.4	142.250.184.238
Oct 2, 2024 19:24:13.674144030 CEST	443	49759	142.250.184.238	192.168.2.4
Oct 2, 2024 19:24:14.172396898 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.172746897 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.172785044 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.173299074 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.173367977 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.174297094 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.174350977 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.175263882 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.175364017 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.175576925 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.175590038 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.227869987 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.456201077 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.456423998 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.456434965 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.456950903 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.457020998 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.457971096 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.458031893 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.458138943 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.458214998 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.458442926 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.458450079 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.491576910 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.491904020 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.491991043 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.493132114 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.493160963 CEST	443	49761	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.493176937 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.493236065 CEST	49761	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.495085001 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.495127916 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.495193958 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.495949030 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.495965004 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.501379013 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.760138035 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.760236979 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.760310888 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.794105053 CEST	49763	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.794131994 CEST	443	49763	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.795237064 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.795346975 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:14.795437098 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.795768023 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:14.795779943 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.134372950 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.134694099 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.134721994 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.135077953 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.135152102 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.135813951 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.135869026 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.136004925 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.136055946 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.136168003 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.136174917 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.136187077 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.179140091 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.179184914 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.352976084 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.354636908 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.354706049 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.355221033 CEST	49765	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.355233908 CEST	443	49765	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.422213078 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.422580957 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.422620058 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.422976017 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.423041105 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.423674107 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.423732996 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.423882961 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.424047947 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.424057007 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.424068928 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.424088001 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.467672110 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.467715025 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.510337114 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.641486883 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.642920971 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:15.642996073 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.643966913 CEST	49766	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:15.643996000 CEST	443	49766	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:16.248440981 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:16.295413971 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.521365881 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.521420002 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.521450043 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.521475077 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:16.521488905 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.521500111 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.521537066 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:16.521553993 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.521673918 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:16.521790981 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.521846056 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.521892071 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:16.526580095 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:16.526597023 CEST	443	49741	142.250.186.132	192.168.2.4
Oct 2, 2024 19:24:16.526612043 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:16.526647091 CEST	49741	443	192.168.2.4	142.250.186.132
Oct 2, 2024 19:24:18.790286064 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:18.790335894 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:18.790456057 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:18.791614056 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:18.791630030 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:19.389389992 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:19.389468908 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:19.392939091 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:19.392956972 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:19.393301964 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:19.446898937 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:20.142170906 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:20.187392950 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.337682009 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.337704897 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.337712049 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.337740898 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.337753057 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.337764978 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.337781906 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:20.337781906 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:20.337806940 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.337821007 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:20.337856054 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:20.338603973 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.338663101 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:20.338670969 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.338758945 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:20.339807987 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:21.050494909 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:21.050520897 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:21.050533056 CEST	49774	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:21.050538063 CEST	443	49774	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:21.309814930 CEST	49779	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:21.309868097 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:21.310204983 CEST	49779	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:21.310506105 CEST	49779	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:21.310518980 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:21.589925051 CEST	80	49723	178.79.208.1	192.168.2.4
Oct 2, 2024 19:24:21.590068102 CEST	49723	80	192.168.2.4	178.79.208.1
Oct 2, 2024 19:24:21.590241909 CEST	49723	80	192.168.2.4	178.79.208.1
Oct 2, 2024 19:24:21.595091105 CEST	80	49723	178.79.208.1	192.168.2.4
Oct 2, 2024 19:24:21.942147017 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:21.942464113 CEST	49779	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:21.942487955 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:21.942810059 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:21.943202972 CEST	49779	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:21.943267107 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:21.943423986 CEST	49779	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:21.943423986 CEST	49779	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:21.943453074 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:22.265971899 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:22.266927958 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:22.267009974 CEST	49779	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:22.328310966 CEST	49779	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:22.328335047 CEST	443	49779	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:33.581281900 CEST	62746	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:33.586412907 CEST	53	62746	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:33.586532116 CEST	62746	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:33.591481924 CEST	53	62746	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:34.042057037 CEST	62746	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:34.048090935 CEST	53	62746	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:34.048199892 CEST	62746	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:43.902271986 CEST	62747	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:43.902313948 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:43.902445078 CEST	62747	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:43.902990103 CEST	62747	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:43.903008938 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:43.964338064 CEST	62748	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:43.964378119 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:43.964468956 CEST	62748	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:43.965146065 CEST	62748	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:43.965162992 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.607639074 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.608019114 CEST	62748	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.608059883 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.608669996 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.609117985 CEST	62748	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.609205008 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.609358072 CEST	62748	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.609388113 CEST	62748	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.609395981 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.635656118 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.636007071 CEST	62747	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.636030912 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.636698961 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.637152910 CEST	62747	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.637238026 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.637372971 CEST	62747	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.637387991 CEST	62747	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.637403965 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.821669102 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.821970940 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.822053909 CEST	62748	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.822277069 CEST	62748	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.822302103 CEST	443	62748	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.945589066 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.946620941 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:44.946707010 CEST	62747	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.947263002 CEST	62747	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:44.947284937 CEST	443	62747	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:45.355446100 CEST	62749	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:45.355561972 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:45.355817080 CEST	62749	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:45.356136084 CEST	62749	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:45.356165886 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:46.027157068 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:46.027676105 CEST	62749	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:46.027746916 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:46.028275967 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:46.028886080 CEST	62749	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:46.028975964 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:46.029231071 CEST	62749	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:46.029264927 CEST	62749	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:46.029277086 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:46.255243063 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:46.255848885 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:46.256042957 CEST	62749	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:46.256424904 CEST	62749	443	192.168.2.4	142.250.184.206
Oct 2, 2024 19:24:46.256491899 CEST	443	62749	142.250.184.206	192.168.2.4
Oct 2, 2024 19:24:57.800357103 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:57.800404072 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:57.800483942 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:57.800839901 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:57.800851107 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.408963919 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.409116983 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.419159889 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.419179916 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.420084000 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.427894115 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.475394011 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.664398909 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.664453983 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.664494991 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.664602995 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.664618015 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.664635897 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.664671898 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.664676905 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.664702892 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.664737940 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.665330887 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.665433884 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.665478945 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.672246933 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.672270060 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:24:58.672285080 CEST	62750	443	192.168.2.4	20.12.23.50
Oct 2, 2024 19:24:58.672290087 CEST	443	62750	20.12.23.50	192.168.2.4
Oct 2, 2024 19:25:07.299072027 CEST	62752	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:25:07.299139977 CEST	443	62752	172.217.18.4	192.168.2.4
Oct 2, 2024 19:25:07.299253941 CEST	62752	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:25:07.299446106 CEST	62752	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:25:07.299468040 CEST	443	62752	172.217.18.4	192.168.2.4
Oct 2, 2024 19:25:07.959867001 CEST	443	62752	172.217.18.4	192.168.2.4
Oct 2, 2024 19:25:07.960350037 CEST	62752	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:25:07.960361004 CEST	443	62752	172.217.18.4	192.168.2.4
Oct 2, 2024 19:25:07.961472988 CEST	443	62752	172.217.18.4	192.168.2.4
Oct 2, 2024 19:25:07.961795092 CEST	62752	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:25:07.961962938 CEST	443	62752	172.217.18.4	192.168.2.4
Oct 2, 2024 19:25:08.008956909 CEST	62752	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:25:10.804727077 CEST	49724	80	192.168.2.4	88.221.110.106
Oct 2, 2024 19:25:10.812949896 CEST	80	49724	88.221.110.106	192.168.2.4
Oct 2, 2024 19:25:10.813102007 CEST	49724	80	192.168.2.4	88.221.110.106
Oct 2, 2024 19:25:17.864425898 CEST	443	62752	172.217.18.4	192.168.2.4
Oct 2, 2024 19:25:17.864521027 CEST	443	62752	172.217.18.4	192.168.2.4
Oct 2, 2024 19:25:17.864562988 CEST	62752	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:25:30.601983070 CEST	62752	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:25:30.602055073 CEST	443	62752	172.217.18.4	192.168.2.4
Oct 2, 2024 19:26:07.352982044 CEST	62759	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:26:07.353037119 CEST	443	62759	172.217.18.4	192.168.2.4
Oct 2, 2024 19:26:07.353566885 CEST	62759	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:26:07.353566885 CEST	62759	443	192.168.2.4	172.217.18.4
Oct 2, 2024 19:26:07.353614092 CEST	443	62759	172.217.18.4	192.168.2.4
Oct 2, 2024 19:26:07.994535923 CEST	443	62759	172.217.18.4	192.168.2.4
Oct 2, 2024 19:26:08.038897991 CEST	62759	443	192.168.2.4	172.217.18.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:24:03.334824085 CEST	50505	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:03.334956884 CEST	60515	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:03.343002081 CEST	53	61591	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:03.343460083 CEST	53	60515	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:03.343647003 CEST	53	50505	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:03.349344015 CEST	53	59254	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:04.290518045 CEST	53506	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:04.290630102 CEST	52202	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:04.297583103 CEST	53	53506	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:04.297815084 CEST	53	52202	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:04.321902990 CEST	53	55208	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:07.227897882 CEST	56315	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:07.228018045 CEST	65035	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:07.235044956 CEST	53	56315	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:07.235719919 CEST	53	65035	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:10.001609087 CEST	53	55164	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:12.484332085 CEST	50334	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:12.484464884 CEST	58309	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:12.491400003 CEST	53	50334	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:12.491420984 CEST	53	58309	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:13.517786980 CEST	58530	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:13.517947912 CEST	65476	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:24:13.524643898 CEST	53	65476	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:13.524878025 CEST	53	58530	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:15.283921957 CEST	53	60415	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:21.241682053 CEST	53	58108	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:22.533901930 CEST	138	138	192.168.2.4	192.168.2.255
Oct 2, 2024 19:24:33.580831051 CEST	53	65087	1.1.1.1	192.168.2.4
Oct 2, 2024 19:24:40.111283064 CEST	53	50228	1.1.1.1	192.168.2.4
Oct 2, 2024 19:25:02.596137047 CEST	53	49173	1.1.1.1	192.168.2.4
Oct 2, 2024 19:25:02.705770016 CEST	53	60418	1.1.1.1	192.168.2.4
Oct 2, 2024 19:25:07.290992975 CEST	60085	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:25:07.291117907 CEST	52544	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:25:07.297868013 CEST	53	60085	1.1.1.1	192.168.2.4
Oct 2, 2024 19:25:07.298258066 CEST	53	52544	1.1.1.1	192.168.2.4
Oct 2, 2024 19:25:14.333589077 CEST	53	59770	1.1.1.1	192.168.2.4
Oct 2, 2024 19:25:14.612617016 CEST	49430	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:25:14.612689018 CEST	58745	53	192.168.2.4	1.1.1.1
Oct 2, 2024 19:25:14.619513035 CEST	53	58745	1.1.1.1	192.168.2.4
Oct 2, 2024 19:25:14.619868994 CEST	53	49430	1.1.1.1	192.168.2.4
Oct 2, 2024 19:25:30.609286070 CEST	53	60859	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 19:24:03.334824085 CEST	192.168.2.4	1.1.1.1	0xabb8	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:03.334956884 CEST	192.168.2.4	1.1.1.1	0xbdd4	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:24:04.290518045 CEST	192.168.2.4	1.1.1.1	0x8dc8	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.290630102 CEST	192.168.2.4	1.1.1.1	0xace2	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:24:07.227897882 CEST	192.168.2.4	1.1.1.1	0xa6a6	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:07.228018045 CEST	192.168.2.4	1.1.1.1	0x2147	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:24:12.484332085 CEST	192.168.2.4	1.1.1.1	0x96ec	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:12.484464884 CEST	192.168.2.4	1.1.1.1	0xf481	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 19:24:13.517786980 CEST	192.168.2.4	1.1.1.1	0x4bcc	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:13.517947912 CEST	192.168.2.4	1.1.1.1	0x989f	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:25:07.290992975 CEST	192.168.2.4	1.1.1.1	0xc5ac	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:25:07.291117907 CEST	192.168.2.4	1.1.1.1	0x9a9b	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 19:25:14.612617016 CEST	192.168.2.4	1.1.1.1	0xbe95	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:25:14.612689018 CEST	192.168.2.4	1.1.1.1	0x16de	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 19:24:03.343460083 CEST	1.1.1.1	192.168.2.4	0xbdd4	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 19:24:03.343647003 CEST	1.1.1.1	192.168.2.4	0xabb8	No error (0)	youtube.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297583103 CEST	1.1.1.1	192.168.2.4	0x8dc8	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297815084 CEST	1.1.1.1	192.168.2.4	0xace2	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:24:04.297815084 CEST	1.1.1.1	192.168.2.4	0xace2	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:24:07.235044956 CEST	1.1.1.1	192.168.2.4	0xa6a6	No error (0)	www.google.com		142.250.186.132	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:07.235719919 CEST	1.1.1.1	192.168.2.4	0x2147	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:24:12.491400003 CEST	1.1.1.1	192.168.2.4	0x96ec	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:24:12.491400003 CEST	1.1.1.1	192.168.2.4	0x96ec	No error (0)	www3.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:24:12.491420984 CEST	1.1.1.1	192.168.2.4	0xf481	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:24:13.524878025 CEST	1.1.1.1	192.168.2.4	0x4bcc	No error (0)	play.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:25:07.297868013 CEST	1.1.1.1	192.168.2.4	0xc5ac	No error (0)	www.google.com		172.217.18.4	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:25:07.298258066 CEST	1.1.1.1	192.168.2.4	0x9a9b	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 19:25:14.619868994 CEST	1.1.1.1	192.168.2.4	0xbe95	No error (0)	play.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	142.250.184.238	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:03 UTC	851	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:24:04 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 17:24:04 GMT Date: Wed, 02 Oct 2024 17:24:04 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.185.142	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:05 UTC	869	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:24:05 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:24:05 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 17:54:05 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=FRc52ABEn3g; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=gqSdc1YoFP8; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:24:05 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgUA%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 17:24:05 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:08 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:24:08 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=84102 Date: Wed, 02 Oct 2024 17:24:08 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:09 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 17:24:09 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=84045 Date: Wed, 02 Oct 2024 17:24:09 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 17:24:09 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49759	142.250.184.238	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:13 UTC	1236	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1552351272&timestamp=1727889851141 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:24:13 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-2EVwdHSaLSTlMaiHuye4OA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 17:24:13 GMT Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmLw1pBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh2Nv87ftbAIL7m45xqikl5RfGJ-ZkppXkllSmZKfm5iZl5yfn52ZWlycWlSWWhRvZGBkYmBpZKRnYBFfYAAA47Ytlw" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 32 45 56 77 64 48 53 61 4c 53 54 6c 4d 61 69 48 75 79 65 34 4f 41 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="2EVwdHSaLSTlMaiHuye4OA">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-02 17:24:13 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49761	142.250.184.206	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:14 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:24:14 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:24:14 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49763	142.250.184.206	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:14 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:24:14 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:24:14 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49765	142.250.184.206	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:15 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:24:15 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 39 38 35 32 32 31 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727889852215",null,null,null
2024-10-02 17:24:15 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=iZs9D5xBIOhEdcFRH3Ne5lBU6ENZTwxQzSQUn_F6GXA_R6JG_4SGfzCJtY61sfzqdZ2vTtv4ddYRsm73nYbLXXGXGHYSF2a-OMP_00IHg3gsVAJcT1Z3270SWjqEchylZ3hIXbUffW4CCFhPb4XLc1CEnH7j7fD-ZNS4GQ4e2ttfBTq_R5Y; expires=Thu, 03-Apr-2025 17:24:15 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:24:15 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:24:15 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:24:15 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:24:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49766	142.250.184.206	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:15 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 507 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 17:24:15 UTC	507	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 39 38 35 32 33 31 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727889852312",null,null,null
2024-10-02 17:24:15 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=vqgYLiANKHTkc6WX5XgaDxk4LZpfrK-Sm0UZ5ic_OYQbh3PBc31yZv-MEP4nCOcieycRFHyL-mYtD73GJ5Ej9mGwXeVfAcaPfhiBbrvOBq1gY15oTr9fTaqYH2-GIMUBGpBbuAwSTJiJ-s1UNAdPvIhPBM9dDiRFzeeYK7dX-pYHMfBF19A; expires=Thu, 03-Apr-2025 17:24:15 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:24:15 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:24:15 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:24:15 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:24:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	142.250.186.132	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:16 UTC	1214	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=vqgYLiANKHTkc6WX5XgaDxk4LZpfrK-Sm0UZ5ic_OYQbh3PBc31yZv-MEP4nCOcieycRFHyL-mYtD73GJ5Ej9mGwXeVfAcaPfhiBbrvOBq1gY15oTr9fTaqYH2-GIMUBGpBbuAwSTJiJ-s1UNAdPvIhPBM9dDiRFzeeYK7dX-pYHMfBF19A
2024-10-02 17:24:16 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 15:37:10 GMT Expires: Thu, 10 Oct 2024 15:37:10 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 6426 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 17:24:16 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 17:24:16 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 17:24:16 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 17:24:16 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 17:24:16 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49774	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:20 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4BOnfg3sDZ1+ln5&MD=7mmXW1cb HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:24:20 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 6f516bf1-ed7a-44ed-bf48-f1ea5b8a1365 MS-RequestId: c2a1ee90-19a2-42d5-bedb-f767d6349af1 MS-CV: mHQUKyGfCUeoq/wK.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:24:19 GMT Connection: close Content-Length: 24490
2024-10-02 17:24:20 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 17:24:20 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49779	142.250.184.206	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:21 UTC	1299	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1224 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=vqgYLiANKHTkc6WX5XgaDxk4LZpfrK-Sm0UZ5ic_OYQbh3PBc31yZv-MEP4nCOcieycRFHyL-mYtD73GJ5Ej9mGwXeVfAcaPfhiBbrvOBq1gY15oTr9fTaqYH2-GIMUBGpBbuAwSTJiJ-s1UNAdPvIhPBM9dDiRFzeeYK7dX-pYHMfBF19A
2024-10-02 17:24:21 UTC	1224	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 39 38 34 39 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727889849000",null,null,null,
2024-10-02 17:24:22 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=ycaOmyG38Yc1TOVc4n4vBRABGwLsCu5PqXi2LtBJ7GPUdwUXwY9k1wAGEfn4QrLJEZUFpEZAxFTL65DgtN0cdFh0sM6q_BOM-COsBN37L2utc5-5BJuUkaRRgL_TvX99pEzMmi4YCckLr7wBlCv0vy3fBk5oyFcM7sJw4ua59XkELLY3ijRruo1AoBc; expires=Thu, 03-Apr-2025 17:24:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:24:22 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 17:24:22 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 17:24:22 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:24:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	62748	142.250.184.206	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:44 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1340 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ycaOmyG38Yc1TOVc4n4vBRABGwLsCu5PqXi2LtBJ7GPUdwUXwY9k1wAGEfn4QrLJEZUFpEZAxFTL65DgtN0cdFh0sM6q_BOM-COsBN37L2utc5-5BJuUkaRRgL_TvX99pEzMmi4YCckLr7wBlCv0vy3fBk5oyFcM7sJw4ua59XkELLY3ijRruo1AoBc
2024-10-02 17:24:44 UTC	1340	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 39 38 38 32 36 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727889882600",null,null,null
2024-10-02 17:24:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:24:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:24:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:24:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	62747	142.250.184.206	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:44 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1281 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ycaOmyG38Yc1TOVc4n4vBRABGwLsCu5PqXi2LtBJ7GPUdwUXwY9k1wAGEfn4QrLJEZUFpEZAxFTL65DgtN0cdFh0sM6q_BOM-COsBN37L2utc5-5BJuUkaRRgL_TvX99pEzMmi4YCckLr7wBlCv0vy3fBk5oyFcM7sJw4ua59XkELLY3ijRruo1AoBc
2024-10-02 17:24:44 UTC	1281	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 39 38 38 32 36 36 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727889882663",null,null,null
2024-10-02 17:24:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:24:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:24:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:24:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	62749	142.250.184.206	443	7980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:46 UTC	1290	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1029 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=ycaOmyG38Yc1TOVc4n4vBRABGwLsCu5PqXi2LtBJ7GPUdwUXwY9k1wAGEfn4QrLJEZUFpEZAxFTL65DgtN0cdFh0sM6q_BOM-COsBN37L2utc5-5BJuUkaRRgL_TvX99pEzMmi4YCckLr7wBlCv0vy3fBk5oyFcM7sJw4ua59XkELLY3ijRruo1AoBc
2024-10-02 17:24:46 UTC	1029	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-02 17:24:46 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 17:24:46 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 17:24:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 17:24:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	62750	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 17:24:58 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4BOnfg3sDZ1+ln5&MD=7mmXW1cb HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 17:24:58 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 23f83443-f2ef-4c15-ac5c-d9e866404c40 MS-RequestId: 3f442231-f2f7-436e-85da-d086c325bf71 MS-CV: AjeluFmVQUahaUep.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 17:24:57 GMT Connection: close Content-Length: 30005
2024-10-02 17:24:58 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 17:24:58 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	13:23:58
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x770000
File size:	918'528 bytes
MD5 hash:	1CC0EEC2A3105DBF316FDC0FBAAC2BC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:23:59
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xca0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:23:59
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:24:00
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	13:24:01
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:24:12
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	13:24:12
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=2356,i,8685252082371654683,15440142383956627020,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5%
Total number of Nodes:	1597
Total number of Limit Nodes:	48

Executed Functions

Function 007742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0077430D

Part of subcall function 00776B57: _wcslen.LIBCMT ref: 00776B6A

GetCurrentProcess.KERNEL32(?,0080CB64,00000000,?,?), ref: 00774422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00774429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00774454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00774466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00774474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0077447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007744A0

Strings

kernel32.dll, xrefs: 0077444F
GetNativeSystemInfo, xrefs: 00774460
|O, xrefs: 007B36F8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 1887a12ac4ddadad8a7ed9425090215913af7e49a0a1382f5696d7be5ab5232d
Instruction ID: 9f07e03b1ba09a5ec632ca88a28043f760c66f3acb5feacc3cfd9e4bef341ef9
Opcode Fuzzy Hash: 1887a12ac4ddadad8a7ed9425090215913af7e49a0a1382f5696d7be5ab5232d
Instruction Fuzzy Hash: 04A1847A90A3C0DFCF11CF697C896E67FA47B27784B148899D04593B62E72C49C8DB21

Function 007742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007750AA,?,?,00000000,00000000), ref: 007742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007750AA,?,?,00000000,00000000), ref: 007742C9
LoadResource.KERNEL32(?,00000000,?,?,007750AA,?,?,00000000,00000000,?,?,?,?,?,?,00774F20), ref: 007B35BE
SizeofResource.KERNEL32(?,00000000,?,?,007750AA,?,?,00000000,00000000,?,?,?,?,?,?,00774F20), ref: 007B35D3
LockResource.KERNEL32(007750AA,?,?,007750AA,?,?,00000000,00000000,?,?,?,?,?,?,00774F20,?), ref: 007B35E6

Strings

SCRIPT, xrefs: 007742BF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 07c45ef8f61494a9921150b5ab97edee8f3694767d1c5930dda575ffc8862e81
Instruction ID: 9f6fe591aef3a46c9db4bee463a26226469bb5ac6838789473ebfc7ea4b0a274
Opcode Fuzzy Hash: 07c45ef8f61494a9921150b5ab97edee8f3694767d1c5930dda575ffc8862e81
Instruction Fuzzy Hash: C1117C71200700BFDB218F65DC49F677BB9FBC5B91F208269B416D66A0DB71D8208A20

Function 007B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00772B6B

Part of subcall function 00773A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00841418,?,00772E7F,?,?,?,00000000), ref: 00773A78

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00832224), ref: 007B2C10
ShellExecuteW.SHELL32(00000000,?,?,00832224), ref: 007B2C17

Strings

runas, xrefs: 007B2C0B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 309e64852b438930237960319626d416c6aed69d62283c4d2e3ba5867aba6f0e
Instruction ID: f46aad7207e9747fc360d09b28e653423224a417e2f25551fa28d11a48c9afac
Opcode Fuzzy Hash: 309e64852b438930237960319626d416c6aed69d62283c4d2e3ba5867aba6f0e
Instruction Fuzzy Hash: E711E771204305DACF14FF60D85A9AEBBA5BB91780F04842DF15E520A3DF3C894AD752

Function 007FA67C Relevance: 6.2, APIs: 4, Instructions: 175
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007FA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 007FA6BA

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Process32NextW.KERNEL32(00000000,?), ref: 007FA79C
CloseHandle.KERNELBASE(00000000), ref: 007FA7AB

Part of subcall function 0078CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,007B3303,?), ref: 0078CE8A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 79161dcc95b77b78124db8aed9deedf3c5c297af90b6a973cba789bdbc82edf7
Instruction ID: 8c54a0308c278c35504b34f363b4c09c0e587579b42ec74e078418c619d0ef02
Opcode Fuzzy Hash: 79161dcc95b77b78124db8aed9deedf3c5c297af90b6a973cba789bdbc82edf7
Instruction Fuzzy Hash: C351FC71508300EFD710EF24C886A6BBBE8FF89754F40892DF59997252EB74D905CB92

Function 007DDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,007B5222), ref: 007DDBCE
GetFileAttributesW.KERNELBASE(?), ref: 007DDBDD
FindFirstFileW.KERNEL32(?,?), ref: 007DDBEE
FindClose.KERNEL32(00000000), ref: 007DDBFA

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9da2969af5ca1a681dd1c0bd99ad95f3e2a09ecd4f7a89978d961e7e29c0df3e
Instruction ID: 1c4864f2a8bf153d9fd9eceb6d7889bd6e351290b8fb1e8ad864f54c1ba9195a
Opcode Fuzzy Hash: 9da2969af5ca1a681dd1c0bd99ad95f3e2a09ecd4f7a89978d961e7e29c0df3e
Instruction Fuzzy Hash: 62F0A0308209105BC2306F78AC0E8BA377CAE01334F204703F83AD22E1EBB45D5486A5

Function 00794CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007A28E9,?,00794CBE,007A28E9,008388B8,0000000C,00794E15,007A28E9,00000002,00000000,?,007A28E9), ref: 00794D09
TerminateProcess.KERNEL32(00000000,?,00794CBE,007A28E9,008388B8,0000000C,00794E15,007A28E9,00000002,00000000,?,007A28E9), ref: 00794D10
ExitProcess.KERNEL32 ref: 00794D22

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d99c33be8ebb6cb8d5c73680510ac5af609fb6933676ebf4ea242b8abd4af8b8
Instruction ID: 66b174754b8d379d108f0dda24cbe19e51c53bb5a8de3e6c30f89d6dbb8fbd7d
Opcode Fuzzy Hash: d99c33be8ebb6cb8d5c73680510ac5af609fb6933676ebf4ea242b8abd4af8b8
Instruction Fuzzy Hash: F2E0B635110548ABCF55AF64ED09E583B69FB46781B118114FD058A232CB39DD42CA80

Function 007FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 007FB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007FB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007FB1D4
_wcslen.LIBCMT ref: 007FB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007FB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007FB236
_wcslen.LIBCMT ref: 007FB332

Part of subcall function 007E05A7: GetStdHandle.KERNEL32(000000F6), ref: 007E05C6

_wcslen.LIBCMT ref: 007FB34B
_wcslen.LIBCMT ref: 007FB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007FB3B6
GetLastError.KERNEL32(00000000), ref: 007FB407
CloseHandle.KERNEL32(?), ref: 007FB439
CloseHandle.KERNEL32(00000000), ref: 007FB44A
CloseHandle.KERNEL32(00000000), ref: 007FB45C
CloseHandle.KERNEL32(00000000), ref: 007FB46E
CloseHandle.KERNEL32(?), ref: 007FB4E3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 096016a646affc39283a1a60248be1c7006ecbcaffee90c4627b2de0476c326e
Instruction ID: 0475648af70aa50abac8014177626b73a76a5d3c8c79cd85286cd4420aecbf7e
Opcode Fuzzy Hash: 096016a646affc39283a1a60248be1c7006ecbcaffee90c4627b2de0476c326e
Instruction Fuzzy Hash: D1F18A31608244DFCB14EF24C885B2EBBE1AF85354F14895DF9998B3A2CB39EC44CB52

Function 0077D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0077D807
timeGetTime.WINMM ref: 0077DA07
Sleep.KERNELBASE(0000000A), ref: 0077DBB1
Sleep.KERNEL32(0000000A), ref: 007C2B76
GetExitCodeProcess.KERNEL32(?,?), ref: 007C2C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 007C2C29
CloseHandle.KERNEL32(?), ref: 007C2C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 007C2CA9

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: ae708df6df4d593b4351f9fb9d4b70e912fe60006693ba2e281a87e90a1d580d
Instruction ID: ba39f8647f94b9fdd74c54d7113db97c74811a5b3adad0701ec3d93e2540f16f
Opcode Fuzzy Hash: ae708df6df4d593b4351f9fb9d4b70e912fe60006693ba2e281a87e90a1d580d
Instruction Fuzzy Hash: D642CE70608241DFDB39DF24C848F6AB7B0BF86344F54862DE55A872A2D778EC45CB92

Function 00772CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00772D07
RegisterClassExW.USER32(00000030), ref: 00772D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00772D42
InitCommonControlsEx.COMCTL32(?), ref: 00772D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00772D6F
LoadIconW.USER32(000000A9), ref: 00772D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00772D94

Strings

AutoIt v3 GUI, xrefs: 00772D23
TaskbarCreated, xrefs: 00772D37
+, xrefs: 00772CF0
0, xrefs: 00772CE9

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 893f64c99c6a3fb5c66482d49d915caa3550d7bccf5e37fd56040cce30a34d5b
Instruction ID: a58a410bf1bb6095740fb4c18c3ee21614a5570affc121f5e5be9134f83fa7c6
Opcode Fuzzy Hash: 893f64c99c6a3fb5c66482d49d915caa3550d7bccf5e37fd56040cce30a34d5b
Instruction Fuzzy Hash: 2121C3B5951218AFDF40DFA4EC49BDDBFB4FB09700F00821AF611A62A0D7B55584CF91

Function 007B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007B039A: CreateFileW.KERNELBASE(00000000,00000000,?,007B0704,?,?,00000000,?,007B0704,00000000,0000000C), ref: 007B03B7

GetLastError.KERNEL32 ref: 007B076F
__dosmaperr.LIBCMT ref: 007B0776
GetFileType.KERNELBASE(00000000), ref: 007B0782
GetLastError.KERNEL32 ref: 007B078C
__dosmaperr.LIBCMT ref: 007B0795
CloseHandle.KERNEL32(00000000), ref: 007B07B5
CloseHandle.KERNEL32(?), ref: 007B08FF
GetLastError.KERNEL32 ref: 007B0931
__dosmaperr.LIBCMT ref: 007B0938

Strings

H, xrefs: 007B08BD

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7c3229a8449b0a98bf12c225bb7133071f8232c29447e9f453878cae68a260f3
Instruction ID: 474caa6ba15c17d8fc4760db6a351cc596a405d87a09ea6e22ff3e30cdac3da5
Opcode Fuzzy Hash: 7c3229a8449b0a98bf12c225bb7133071f8232c29447e9f453878cae68a260f3
Instruction Fuzzy Hash: 1FA12336A141088FDF19AF68D856BEE7BA0AB46324F14029DF811DB3D1DB399912CBD1

Function 0077344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00773A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00841418,?,00772E7F,?,?,?,00000000), ref: 00773A78

Part of subcall function 00773357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00773379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0077356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007B318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007B31CE
RegCloseKey.ADVAPI32(?), ref: 007B3210
_wcslen.LIBCMT ref: 007B3277
_wcslen.LIBCMT ref: 007B3286

Strings

\Include\, xrefs: 00773527
\, xrefs: 007B328C
Include, xrefs: 007B3184, 007B31C5
Software\AutoIt v3\AutoIt, xrefs: 00773560

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ab57b459918b52d625333b69002dad2cba192d5f2fbfd2d5999f0db80f1d3796
Instruction ID: 4f7f01f5cd69339a39efd497d3c489cab682867a3e6fdfd5a4e41c237364adfb
Opcode Fuzzy Hash: ab57b459918b52d625333b69002dad2cba192d5f2fbfd2d5999f0db80f1d3796
Instruction Fuzzy Hash: 51716C71508301DEC714EF69DC8699BBBF8FF95780B80452EF559832B1DB389A48CB62

Function 00772B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00772B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00772B9D
LoadIconW.USER32(00000063), ref: 00772BB3
LoadIconW.USER32(000000A4), ref: 00772BC5
LoadIconW.USER32(000000A2), ref: 00772BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00772BEF
RegisterClassExW.USER32(?), ref: 00772C40

Part of subcall function 00772CD4: GetSysColorBrush.USER32(0000000F), ref: 00772D07
Part of subcall function 00772CD4: RegisterClassExW.USER32(00000030), ref: 00772D31
Part of subcall function 00772CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00772D42
Part of subcall function 00772CD4: InitCommonControlsEx.COMCTL32(?), ref: 00772D5F
Part of subcall function 00772CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00772D6F
Part of subcall function 00772CD4: LoadIconW.USER32(000000A9), ref: 00772D85
Part of subcall function 00772CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00772D94

Strings

AutoIt v3, xrefs: 00772C2F
0, xrefs: 00772C0F
#, xrefs: 00772C16

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2942e138c8e80b0fb19930b4a6174b8ff5211a1dfda8070807fdb9419a998f60
Instruction ID: 7f5616e04ce0bca74621bd0e09d6e1c82ea56cb8af6421c05873718bf082b31d
Opcode Fuzzy Hash: 2942e138c8e80b0fb19930b4a6174b8ff5211a1dfda8070807fdb9419a998f60
Instruction Fuzzy Hash: 41212C78E40318ABDF109FA9EC59B99BFB4FB49B50F00451AF504A67A0D7B90580CF90

Function 00773170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0077316A,?,?), ref: 007731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0077316A,?,?), ref: 00773204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00773227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0077316A,?,?), ref: 00773232
CreatePopupMenu.USER32 ref: 00773246
PostQuitMessage.USER32(00000000), ref: 00773267

Strings

TaskbarCreated, xrefs: 0077322D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 642648565b072523f7369a77e0c6c183b73265c1aef483485f2aa55ad3721ab8
Instruction ID: 6f69d68ab85ab86e9c3705f27b65321cc3e4328f5edf686bc172033e159ce5ac
Opcode Fuzzy Hash: 642648565b072523f7369a77e0c6c183b73265c1aef483485f2aa55ad3721ab8
Instruction Fuzzy Hash: 52410635254208EBDF155F7C9C0DBB93B5AF7063C4F548225F90AC62A2C77D8A81E7A2

Function 00771410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00771459
CoUninitialize.COMBASE ref: 007714F8
UnregisterHotKey.USER32(?), ref: 007716DD
DestroyWindow.USER32(?), ref: 007B24B9
FreeLibrary.KERNEL32(?), ref: 007B251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 007B254B

Strings

close all, xrefs: 00771454

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d119f40d77bdcc6934b7b0a8aa744cfaca271b56357f090a49afeac4f3e0daaa
Instruction ID: 1c4fa35659187f8dbd7ffbfc539e20e7f6e0a3e64be04c4f049ca4637e9e571d
Opcode Fuzzy Hash: d119f40d77bdcc6934b7b0a8aa744cfaca271b56357f090a49afeac4f3e0daaa
Instruction Fuzzy Hash: 2DD17331702212CFCB29EF15C899B69F7A4BF05740F5482ADE54AA7252DB38AD23CF51

Function 00772C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00772C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00772CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00771CAD,?), ref: 00772CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00771CAD,?), ref: 00772CCF

Strings

AutoIt v3, xrefs: 00772C89, 00772C8E, 00772C8F
edit, xrefs: 00772CAC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c4067400e15aa2a402dd75bbd12eac1ec8794052d72cbb5b3fc7bef98890abda
Instruction ID: 3d2de8467d88cac014a5e5b578bc03c1faf19bd696fa90a1cb4632c3f7563cfe
Opcode Fuzzy Hash: c4067400e15aa2a402dd75bbd12eac1ec8794052d72cbb5b3fc7bef98890abda
Instruction Fuzzy Hash: 55F0DA795402907AEB711F17AC4CE776EBDF7C7F50B00005AF900A26A0C6691894DAB0

Function 00773B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00773B0F,SwapMouseButtons,00000004,?), ref: 00773B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00773B0F,SwapMouseButtons,00000004,?), ref: 00773B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00773B0F,SwapMouseButtons,00000004,?), ref: 00773B83

Strings

Control Panel\Mouse, xrefs: 00773B3E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 339d531ad78d0b2e892f372b5c0bc193a7e46492e00eea651472e40deb3d2d02
Instruction ID: 403b30edb2e5cc7d71ea9a2a16c2b972359a08b309ae91105d4585866afb87ac
Opcode Fuzzy Hash: 339d531ad78d0b2e892f372b5c0bc193a7e46492e00eea651472e40deb3d2d02
Instruction Fuzzy Hash: 0B112AB5510208FFDF208FA5DC44AEEB7BCEF04784B10856AA809D7120E2359E40A7A0

Function 00773923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007B33A2

Part of subcall function 00776B57: _wcslen.LIBCMT ref: 00776B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00773A04

Strings

Line: , xrefs: 007B33EB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 2106e03ee347b6357f1031fbfca6421135efb13a8d363e447444ed10db4bcfea
Instruction ID: f7e5da831a1d80b24195083a95b628124830ce4ddc76eb2099889f562c290fc5
Opcode Fuzzy Hash: 2106e03ee347b6357f1031fbfca6421135efb13a8d363e447444ed10db4bcfea
Instruction Fuzzy Hash: 5C31C771508304EACB21EF20DC49BEBB7D8BB41754F00891AF59D83191DB7C9688CBC2

Function 0078FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00790668

Part of subcall function 007932A4: RaiseException.KERNEL32(?,?,?,0079068A,?,00841444,?,?,?,?,?,?,0079068A,00771129,00838738,00771129), ref: 00793304

__CxxThrowException@8.LIBVCRUNTIME ref: 00790685

Strings

Unknown exception, xrefs: 00790692

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 3fc7869e7e41e337ecb5bbae9848f05ab69cf4f36532c6b6025839b8c20a05ab
Instruction ID: a0dd8e315083db8a9162737ac34c9f79ac1c64349f01e4ad05b6549dd193eecb
Opcode Fuzzy Hash: 3fc7869e7e41e337ecb5bbae9848f05ab69cf4f36532c6b6025839b8c20a05ab
Instruction Fuzzy Hash: 42F0623490030DFBCF04B6A4F85AD9E776CAE40350B608571FA24D65D2EF79EA66C6D0

Function 007710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00771BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00771BF4
Part of subcall function 00771BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00771BFC
Part of subcall function 00771BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00771C07
Part of subcall function 00771BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00771C12
Part of subcall function 00771BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00771C1A
Part of subcall function 00771BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00771C22

Part of subcall function 00771B4A: RegisterWindowMessageW.USER32(00000004,?,007712C4), ref: 00771BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0077136A
OleInitialize.OLE32 ref: 00771388
CloseHandle.KERNEL32(00000000,00000000), ref: 007B24AB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: eed34adff1ecd7233758814076a7ad9b5279819aa2cca5e887b9a6fe9c818b4b
Instruction ID: b0cc87b94a95e4694ea8b3beb34b29e01a12d45ab3d80a359ded78314b6cb5b9
Opcode Fuzzy Hash: eed34adff1ecd7233758814076a7ad9b5279819aa2cca5e887b9a6fe9c818b4b
Instruction Fuzzy Hash: 077199BCA513048ECF84EFB9EC4D6957AE1FB9A384356823AD61AC7261EB3444C5CF44

Function 007DC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00773923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00773A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007DC259
KillTimer.USER32(?,00000001,?,?), ref: 007DC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007DC270

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 1b69db6d69ed8f6a0f2c335726ba4ecadcbe75f1ae8dacd746c63f12ceb366c2
Instruction ID: d0c06c6f7f93669f4e879439193a841e22bbbc1698f4b29342942916533cdd0c
Opcode Fuzzy Hash: 1b69db6d69ed8f6a0f2c335726ba4ecadcbe75f1ae8dacd746c63f12ceb366c2
Instruction Fuzzy Hash: 40318470904354AFEB739F648895BE7BBFCAB06304F00049AE6DA97241C7786A84CB51

Function 007A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007A85CC,?,00838CC8,0000000C), ref: 007A8704
GetLastError.KERNEL32(?,007A85CC,?,00838CC8,0000000C), ref: 007A870E
__dosmaperr.LIBCMT ref: 007A8739

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 6fb9f3e1cbb23ea0a1a7812ba7e94642f17cd7067dceeb7897da0946940cb336
Instruction ID: 5556a212c1223b67c6c300bad404f98ed10b76cfcc0f567d579aa77dded96fc9
Opcode Fuzzy Hash: 6fb9f3e1cbb23ea0a1a7812ba7e94642f17cd7067dceeb7897da0946940cb336
Instruction Fuzzy Hash: F6018933A0562066EAE46334A849B7E67495BC3778F390319F8048B1D3DEBCCC81C192

Function 0077DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0077DB7B
DispatchMessageW.USER32(?), ref: 0077DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0077DB9F
Sleep.KERNELBASE(0000000A), ref: 0077DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 007C1CC9

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: f4bb07e8a8394910f0771a0593092de3b13c30d25407913db643a9361dd3a113
Instruction ID: eaca16f26586fb18287dc74a8a7cad021f2c0ca66d81f804401dae119f5d0f6b
Opcode Fuzzy Hash: f4bb07e8a8394910f0771a0593092de3b13c30d25407913db643a9361dd3a113
Instruction Fuzzy Hash: 08F05E306443449BEB70CBA48C49FAA73B8FF45350F508A2CF61AD30D0DB38A488CB25

Function 00781310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007817F6

Strings

CALL, xrefs: 007817C6

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5031491c546ab92e8d2659a7f1d94baa2e215a6ed293e2d8411759996e2962f2
Instruction ID: 5b5ebe2b504d1a7e6e8d5e01511acb0ff4ecdcfc3218dbe586aa9e5e45c85e27
Opcode Fuzzy Hash: 5031491c546ab92e8d2659a7f1d94baa2e215a6ed293e2d8411759996e2962f2
Instruction Fuzzy Hash: 6E229B70608241DFC714EF14C484B2ABBF5BF89314F64896DF49A8B3A1D739E952CB92

Function 00772DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 007B2C8C

Part of subcall function 00773AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00773A97,?,?,00772E7F,?,?,?,00000000), ref: 00773AC2

Part of subcall function 00772DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00772DC4

Strings

X, xrefs: 007B2C5A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 64025cfa020292e388af977e41b3b9b18e06db28fed2dc0b9d6d12228c4d9ed3
Instruction ID: 6956901a8678da0c45c81492da52c10d92f22626828ed4ee762e2b133e2593c6
Opcode Fuzzy Hash: 64025cfa020292e388af977e41b3b9b18e06db28fed2dc0b9d6d12228c4d9ed3
Instruction Fuzzy Hash: AD219671A00258AFDF41DF94C8497EE7BF8AF49304F108059E519E7242DBBC5A49CFA1

Function 00773837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00773908

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8a5ae637cb9f6dd447cec89fb20ec4e77fde0ade2c20cc102ebb193dacad2a8c
Instruction ID: 27796081fbed012f967c87d7fbb697cd61451631a5f1bb5cc7248fe868c32a4d
Opcode Fuzzy Hash: 8a5ae637cb9f6dd447cec89fb20ec4e77fde0ade2c20cc102ebb193dacad2a8c
Instruction Fuzzy Hash: 4D319170504701DFDB20DF24D889B97BBE8FB49748F00092EF59983340E779AA84DB52

Function 0078F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0078F661

Part of subcall function 0077D730: GetInputState.USER32 ref: 0077D807

Sleep.KERNEL32(00000000), ref: 007CF2DE

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 8d9ec5c68e0b874e1e7c3b19bab64719398acd19775601d8ea30975dbd2a6d45
Instruction ID: 0a1e0706922343e13d9b9f31c11d7178ff3195612bd35201e4f9358cfcfe2d0a
Opcode Fuzzy Hash: 8d9ec5c68e0b874e1e7c3b19bab64719398acd19775601d8ea30975dbd2a6d45
Instruction Fuzzy Hash: 8CF08C313402059FD354EF69D449B6AB7E8FF497A5F00412AE85DC72A0DB70A800CB91

Function 0077B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0077BB4E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 3afccee5eedf30b0d8455d41411d1cde1772b7e6e5c426273642287a1284f8bf
Instruction ID: 820c6f288ef3f961f4998e9a7d72345e56da3849b69294d9a8d4b9ff4f3d2d85
Opcode Fuzzy Hash: 3afccee5eedf30b0d8455d41411d1cde1772b7e6e5c426273642287a1284f8bf
Instruction Fuzzy Hash: 66329874A04209DFDF24CF54C898BBAB7B9FF44384F19805DEA19AB261C778AD41CB91

Function 00774ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00774E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00774EDD,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774E9C
Part of subcall function 00774E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00774EAE
Part of subcall function 00774E90: FreeLibrary.KERNEL32(00000000,?,?,00774EDD,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774EFD

Part of subcall function 00774E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007B3CDE,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774E62
Part of subcall function 00774E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00774E74
Part of subcall function 00774E59: FreeLibrary.KERNEL32(00000000,?,?,007B3CDE,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774E87

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: c68454c88933c01f53e9312178b74f3c7d34d5518990e9237908b5ebd4f8ab42
Instruction ID: fa43e3570ee256d36b626ff4c64104ceee6a00083441042bee2c569c0983302d
Opcode Fuzzy Hash: c68454c88933c01f53e9312178b74f3c7d34d5518990e9237908b5ebd4f8ab42
Instruction Fuzzy Hash: AB11E332600205EBDF24FF60DC0AFAD77A5AF40790F10C42DF54AA61C1EFB89A459750

Function 007A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 007A8440

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 6c36f8dbf7f239aefb384a2e57d3f23275f03ae44e3e09aa3cd12d5540f9a315
Instruction ID: c800806eaabffa8699e86dbfa8868b28a66bf8fc5186d8b3ee4ebf9a6589bcf1
Opcode Fuzzy Hash: 6c36f8dbf7f239aefb384a2e57d3f23275f03ae44e3e09aa3cd12d5540f9a315
Instruction Fuzzy Hash: 3811187590420AAFCB05DF58E94599B7BF9EF49314F104159F808AB312DA31EA11CBA5

Function 007A5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007A4C7D: RtlAllocateHeap.NTDLL(00000008,00771129,00000000,?,007A2E29,00000001,00000364,?,?,?,0079F2DE,007A3863,00841444,?,0078FDF5,?), ref: 007A4CBE

_free.LIBCMT ref: 007A506C

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: e4cb17f3c06a4ddde0cde58623d70e90ada3ff7049099e7f3f6e4a63f26c7ce1
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B0012672204704ABE3218F699885A5BFBE8FBCA370F25071DE18493280EA74A805C6B4

Function 0079E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d90a8415707dc27db12168e20024d489030889cf2992ae3e6fcbf661123af464
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8BF0A932511E14EADE317A69AC09B5B33989FD3335F100715F525962D2DB7CE8028AA6

Function 007A4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00771129,00000000,?,007A2E29,00000001,00000364,?,?,?,0079F2DE,007A3863,00841444,?,0078FDF5,?), ref: 007A4CBE

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 609b111b8380d14a2c333b553f928da51d6f076430a83f9d6fb17cc007901a59
Instruction ID: 893444c4ec23d70eb048be162c0ba246903bf56b1b356086916fa1c8ab00bdb9
Opcode Fuzzy Hash: 609b111b8380d14a2c333b553f928da51d6f076430a83f9d6fb17cc007901a59
Instruction Fuzzy Hash: FAF0BB32606124A6DF215F619C09F5A3749BFC3770B144311B81D96181DAFAD80146B0

Function 007A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00841444,?,0078FDF5,?,?,0077A976,00000010,00841440,007713FC,?,007713C6,?,00771129), ref: 007A3852

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 99807f7a31395ee0286ea8dd7813a9a832993e00c94b2d9b1f0c25f4444dd32f
Instruction ID: aa7b2d43432d4670193735ed5150aaff6971e8324b8db0ba5a691f42a0f4d766
Opcode Fuzzy Hash: 99807f7a31395ee0286ea8dd7813a9a832993e00c94b2d9b1f0c25f4444dd32f
Instruction Fuzzy Hash: 04E065325012259AEB212F66AC09F9A3659AFC37B0F150322BC1596591DB1DDD0182F1

Function 00774F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774F6D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 986413d1ee4182c0afe29ab3854cd3e208ae498f13d35e3b08ae5ed90533c57b
Instruction ID: 7b1688d0ae0af409a89f8e324b66c5a15e17dc4a64027142479fe3df4c4a8d51
Opcode Fuzzy Hash: 986413d1ee4182c0afe29ab3854cd3e208ae498f13d35e3b08ae5ed90533c57b
Instruction Fuzzy Hash: BDF01571206752DFDF349F64E494822BBE4AF15369328CA7EE1EE82621C73A9844DB10

Function 007730F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0077314E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6c26579d8fac0f360e8fbc4d539e6e33f560490b1ea9f302a571f15827071944
Instruction ID: 34353f22648dcf6c3d10de7065c3aaa1d39b0ab2dc79027a2552f5c94934fb09
Opcode Fuzzy Hash: 6c26579d8fac0f360e8fbc4d539e6e33f560490b1ea9f302a571f15827071944
Instruction Fuzzy Hash: 07F037749143189FEF629F24DC497D57BFCB701708F0001E5A54896292D77857C8CF51

Function 00772DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00772DC4

Part of subcall function 00776B57: _wcslen.LIBCMT ref: 00776B6A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 091780d7a1c34290fd5313ad9516adbdb0cc7e231ac62f4f13f00664e64b34ad
Instruction ID: 2116da7c1150b5cd3602bd1fd74e02fffae518504655203ecc2ff63900a27c4f
Opcode Fuzzy Hash: 091780d7a1c34290fd5313ad9516adbdb0cc7e231ac62f4f13f00664e64b34ad
Instruction Fuzzy Hash: C3E0CD726001245BCB1097589C09FEA77DDDFC87D0F044171FD09D725DDA64AD80C550

Function 00772B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00773837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00773908

Part of subcall function 0077D730: GetInputState.USER32 ref: 0077D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00772B6B

Part of subcall function 007730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0077314E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3035251676e52f9e2216941c49d29b1b8709b49cf0025e53f01d4daeb1aa280b
Instruction ID: 33496e70b61ee0212e69db35641b166c7828ed22ac8afbcb4038daeed1ddbdef
Opcode Fuzzy Hash: 3035251676e52f9e2216941c49d29b1b8709b49cf0025e53f01d4daeb1aa280b
Instruction Fuzzy Hash: B3E0862130424886CE18BB75985E56DA75AABD23D5F40953EF14A831A3DF2D498A8252

Function 007B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,007B0704,?,?,00000000,?,007B0704,00000000,0000000C), ref: 007B03B7

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5608d17db90dd6c1ac2d4240987114979d1103fafd02f0de20ec89d85c4744f3
Instruction ID: b4d63ff287a49c7624a510de3b01ecc5cd6c80a6a04995ba8f8095f15ac35792
Opcode Fuzzy Hash: 5608d17db90dd6c1ac2d4240987114979d1103fafd02f0de20ec89d85c4744f3
Instruction Fuzzy Hash: 51D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014100BE1856020C732E821AB90

Function 00771CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00771CBC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 5ede57056cf2228f8891164fceacc934c81949a9ad052374cf6ac03184f1971f
Instruction ID: 6b07b93006cb60d6e9cbc6af98cdbf7e3b0d2cd699968b1f5e8c1eec591e9e5a
Opcode Fuzzy Hash: 5ede57056cf2228f8891164fceacc934c81949a9ad052374cf6ac03184f1971f
Instruction Fuzzy Hash: 08C0923E280304AFF6648F80BC4EF10B7A4B349F04F448101F609A96E3C3A22860EA50

Non-executed Functions

Function 00809576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00789BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00789BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0080961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0080965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0080969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008096C9
SendMessageW.USER32 ref: 008096F2
GetKeyState.USER32(00000011), ref: 0080978B
GetKeyState.USER32(00000009), ref: 00809798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008097AE
GetKeyState.USER32(00000010), ref: 008097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008097E9
SendMessageW.USER32 ref: 00809810
SendMessageW.USER32(?,00001030,?,00807E95), ref: 00809918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0080992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00809941
SetCapture.USER32(?), ref: 0080994A
ClientToScreen.USER32(?,?), ref: 008099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008099D6
ReleaseCapture.USER32 ref: 008099E1
GetCursorPos.USER32(?), ref: 00809A19
ScreenToClient.USER32(?,?), ref: 00809A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00809A80
SendMessageW.USER32 ref: 00809AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00809AEB
SendMessageW.USER32 ref: 00809B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00809B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00809B4A
GetCursorPos.USER32(?), ref: 00809B68
ScreenToClient.USER32(?,?), ref: 00809B75
GetParent.USER32(?), ref: 00809B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00809BFA
SendMessageW.USER32 ref: 00809C2B
ClientToScreen.USER32(?,?), ref: 00809C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00809CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00809CDE
SendMessageW.USER32 ref: 00809D01
ClientToScreen.USER32(?,?), ref: 00809D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00809D82

Part of subcall function 00789944: GetWindowLongW.USER32(?,000000EB), ref: 00789952

GetWindowLongW.USER32(?,000000F0), ref: 00809E05

Strings

F, xrefs: 00809D07
@GUI_DRAGID, xrefs: 0080997D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 31f7c8bf63c45681e814dc29e7b81ffef36b2592576bcf77a7309792bd6594ff
Instruction ID: 64537cbf6201f95d7ec0923d16be9893de26b924ce2780610f58c9b1818d92fc
Opcode Fuzzy Hash: 31f7c8bf63c45681e814dc29e7b81ffef36b2592576bcf77a7309792bd6594ff
Instruction Fuzzy Hash: 0742AE35608201AFDBA0CF64CC48AAABBE5FF59314F14461DF6A9C72E2D732E850CB51

Function 00804873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00804908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00804927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0080494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0080495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0080497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00804A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00804A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00804A7E
IsMenu.USER32(?), ref: 00804A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00804AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00804B20
GetWindowLongW.USER32(?,000000F0), ref: 00804B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00804BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00804C82
wsprintfW.USER32 ref: 00804CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00804CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00804CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00804D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00804D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00804D5A

Strings

%d/%02d/%02d, xrefs: 00804CA8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b7f31b80ea057014fb6e7c11a3babe15c43862c2f7aaf2c4c73cc42604b0d0f3
Instruction ID: 2ff6f198f0e1b468152af08236ed8725d2a7c34d91ffcadee69d57d9d936f4a9
Opcode Fuzzy Hash: b7f31b80ea057014fb6e7c11a3babe15c43862c2f7aaf2c4c73cc42604b0d0f3
Instruction Fuzzy Hash: 551213B1680219ABEBA49F24CC49FAE7BF8FF45310F105229F615DB2E1DB749941CB50

Function 0078F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0078F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007CF474
IsIconic.USER32(00000000), ref: 007CF47D
ShowWindow.USER32(00000000,00000009), ref: 007CF48A
SetForegroundWindow.USER32(00000000), ref: 007CF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007CF4AA
GetCurrentThreadId.KERNEL32 ref: 007CF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007CF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 007CF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 007CF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 007CF4DE
SetForegroundWindow.USER32(00000000), ref: 007CF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 007CF4F6
keybd_event.USER32(00000012,00000000), ref: 007CF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 007CF50B
keybd_event.USER32(00000012,00000000), ref: 007CF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 007CF519
keybd_event.USER32(00000012,00000000), ref: 007CF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 007CF528
keybd_event.USER32(00000012,00000000), ref: 007CF52D
SetForegroundWindow.USER32(00000000), ref: 007CF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 007CF557

Strings

Shell_TrayWnd, xrefs: 007CF46F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1d8ae6a31ead2f6ab2fce3aa3e8c2336b705d2c99f2a308cc00ef735f1cb08fb
Instruction ID: 69f3638d5fea478e5f55598a24c502b97196621edebff8fa678855974da24aa1
Opcode Fuzzy Hash: 1d8ae6a31ead2f6ab2fce3aa3e8c2336b705d2c99f2a308cc00ef735f1cb08fb
Instruction Fuzzy Hash: 4F314F71A40218BBEB216FB55C4AFBF7E6DFB44B50F10016AFA01E61D1C7B55D10AAA0

Function 007D1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007D170D
Part of subcall function 007D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007D173A
Part of subcall function 007D16C3: GetLastError.KERNEL32 ref: 007D174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 007D1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007D12A8
CloseHandle.KERNEL32(?), ref: 007D12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007D12D1
GetProcessWindowStation.USER32 ref: 007D12EA
SetProcessWindowStation.USER32(00000000), ref: 007D12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007D1310

Part of subcall function 007D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007D11FC), ref: 007D10D4
Part of subcall function 007D10BF: CloseHandle.KERNEL32(?,?,007D11FC), ref: 007D10E9

Strings

default, xrefs: 007D130B
winsta0, xrefs: 007D12CC
, xrefs: 007D125A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: a08e57db51ec220ff2b570099100659f9fb5e6792be5b6b8cc55c9f82cafd7dc
Instruction ID: 297f7fb7a4028840fbdff9cdf3c998f4e21b46beaaae3a3c84c753fd416772ab
Opcode Fuzzy Hash: a08e57db51ec220ff2b570099100659f9fb5e6792be5b6b8cc55c9f82cafd7dc
Instruction Fuzzy Hash: 32818BB1A00249BFDF219FA4DC49FEE7BB9FF04704F14422AF910A62A0D7799945CB60

Function 007D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007D1114
Part of subcall function 007D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007D0B9B,?,?,?), ref: 007D1120
Part of subcall function 007D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007D0B9B,?,?,?), ref: 007D112F
Part of subcall function 007D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007D0B9B,?,?,?), ref: 007D1136
Part of subcall function 007D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007D0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007D0C00
GetLengthSid.ADVAPI32(?), ref: 007D0C17
GetAce.ADVAPI32(?,00000000,?), ref: 007D0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007D0C6D
GetLengthSid.ADVAPI32(?), ref: 007D0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007D0C8C
HeapAlloc.KERNEL32(00000000), ref: 007D0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007D0CB4
CopySid.ADVAPI32(00000000), ref: 007D0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007D0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007D0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007D0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007D0D45
HeapFree.KERNEL32(00000000), ref: 007D0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007D0D55
HeapFree.KERNEL32(00000000), ref: 007D0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007D0D65
HeapFree.KERNEL32(00000000), ref: 007D0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 007D0D78
HeapFree.KERNEL32(00000000), ref: 007D0D7F

Part of subcall function 007D1193: GetProcessHeap.KERNEL32(00000008,007D0BB1,?,00000000,?,007D0BB1,?), ref: 007D11A1
Part of subcall function 007D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007D0BB1,?), ref: 007D11A8
Part of subcall function 007D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007D0BB1,?), ref: 007D11B7

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2d5b679228e89cade6d17321cc467e6c886d18ad576de5fd01a687ffd638e2f2
Instruction ID: 2503730ad2c31942922009e262856142234bf3662b41b7dce6248575a332de88
Opcode Fuzzy Hash: 2d5b679228e89cade6d17321cc467e6c886d18ad576de5fd01a687ffd638e2f2
Instruction Fuzzy Hash: 2F714C76A0020AAFDF10DFA4DC48FEEBBB9BF05310F144616F915A7291D779A905CBA0

Function 007EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0080CC08), ref: 007EEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 007EEB37
GetClipboardData.USER32(0000000D), ref: 007EEB43
CloseClipboard.USER32 ref: 007EEB4F
GlobalLock.KERNEL32(00000000), ref: 007EEB87
CloseClipboard.USER32 ref: 007EEB91
GlobalUnlock.KERNEL32(00000000), ref: 007EEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 007EEBC9
GetClipboardData.USER32(00000001), ref: 007EEBD1
GlobalLock.KERNEL32(00000000), ref: 007EEBE2
GlobalUnlock.KERNEL32(00000000), ref: 007EEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 007EEC38
GetClipboardData.USER32(0000000F), ref: 007EEC44
GlobalLock.KERNEL32(00000000), ref: 007EEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 007EEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007EEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007EECD2
GlobalUnlock.KERNEL32(00000000), ref: 007EECF3
CountClipboardFormats.USER32 ref: 007EED14
CloseClipboard.USER32 ref: 007EED59

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 3c9378e7130fac33c411bcdb8c536647940dfaa68e1115f1d0aa7a696aca7870
Instruction ID: 86bc5810da606049dfc1881f6f5a61b1ebcf027cfd13fb521656e6a4c5c17645
Opcode Fuzzy Hash: 3c9378e7130fac33c411bcdb8c536647940dfaa68e1115f1d0aa7a696aca7870
Instruction Fuzzy Hash: 7461F074205341AFD710EF25DC89F2AB7A4BF88744F148A1DF45A872A2DB39ED05CB62

Function 007E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007E69BE
FindClose.KERNEL32(00000000), ref: 007E6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007E6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007E6A75

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 007E6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 007E6ADF

Strings

%03d, xrefs: 007E6DA2
%4d, xrefs: 007E6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 007E6B6A
%02d, xrefs: 007E6C00, 007E6C0A, 007E6C5A, 007E6CAA, 007E6CFA, 007E6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 007E6B32

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 89592b53897ef879106d5f71855e86454a58bdeaa7a8eb451db4d9102b8c639c
Instruction ID: 51a7d1fe8ef76495d473138df2853c1cb463a0cc4c07476aa1c5137122db346b
Opcode Fuzzy Hash: 89592b53897ef879106d5f71855e86454a58bdeaa7a8eb451db4d9102b8c639c
Instruction Fuzzy Hash: 2ED161B2508340AFC714EB64CC85EABB7ECBF99744F04891DF589D6191EB38DA04CB62

Function 007E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007E9663
GetFileAttributesW.KERNEL32(?), ref: 007E96A1
SetFileAttributesW.KERNEL32(?,?), ref: 007E96BB
FindNextFileW.KERNEL32(00000000,?), ref: 007E96D3
FindClose.KERNEL32(00000000), ref: 007E96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007E96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 007E974A
SetCurrentDirectoryW.KERNEL32(00836B7C), ref: 007E9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 007E9772
FindClose.KERNEL32(00000000), ref: 007E977F
FindClose.KERNEL32(00000000), ref: 007E978F

Strings

*.*, xrefs: 007E96F5

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 763c19ea1f653cc3fe3fbaffa820f38d38b083d2d6df101e382253d96a9721af
Instruction ID: cc76a0017aa4ff239f687d1a02a8a4283a05a2b440231b83de08c080f8424143
Opcode Fuzzy Hash: 763c19ea1f653cc3fe3fbaffa820f38d38b083d2d6df101e382253d96a9721af
Instruction Fuzzy Hash: CC31C233502259AADF20AFB5EC49ADE77ACBF4D360F104166FA15E2191EB38DD448A50

Function 007E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007E97BE
FindNextFileW.KERNEL32(00000000,?), ref: 007E9819
FindClose.KERNEL32(00000000), ref: 007E9824
FindFirstFileW.KERNEL32(*.*,?), ref: 007E9840
SetCurrentDirectoryW.KERNEL32(?), ref: 007E9890
SetCurrentDirectoryW.KERNEL32(00836B7C), ref: 007E98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007E98B8
FindClose.KERNEL32(00000000), ref: 007E98C5
FindClose.KERNEL32(00000000), ref: 007E98D5

Part of subcall function 007DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007DDB00

Strings

*.*, xrefs: 007E983B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b5d461451ae65fede9b6ed3f639551b5088f04226188922b7f74601ed8d41c13
Instruction ID: 2e932d6af487681699480180278506a32fa1926452efb6610512b24a922a967f
Opcode Fuzzy Hash: b5d461451ae65fede9b6ed3f639551b5088f04226188922b7f74601ed8d41c13
Instruction Fuzzy Hash: 0231C332501259AADF20AFB5EC48ADE77ACFF4A320F108155EA10E21E1EB39DD458B60

Function 007FBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007FB6AE,?,?), ref: 007FC9B5
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FC9F1
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FCA68
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007FBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 007FBFA9
RegCloseKey.ADVAPI32(00000000), ref: 007FBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007FC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007FC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007FC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007FC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 007FC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007FC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007FC382
RegCloseKey.ADVAPI32(00000000), ref: 007FC38F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: bed235de4437c7ad076b9c35e003c6d4cef847a85abaa1e69654e17021d04acd
Instruction ID: 099db91ab0e01c46b3254c820bfefdb38576e2e09b03fab9c601835e870b87c7
Opcode Fuzzy Hash: bed235de4437c7ad076b9c35e003c6d4cef847a85abaa1e69654e17021d04acd
Instruction Fuzzy Hash: 48026B70604204DFDB15DF24C985E2ABBE5AF89348F18C49CF94A8B3A2DB35EC45CB52

Function 007E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007E8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 007E8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007E8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007E8310
SetCurrentDirectoryW.KERNEL32(?), ref: 007E8324
SetCurrentDirectoryW.KERNEL32(?), ref: 007E8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007E838C
SetCurrentDirectoryW.KERNEL32(?), ref: 007E8395

Strings

*.*, xrefs: 007E839B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 796fdfcff8525e47f78b30f12535556afeb02742fa601c711aaa5094623918a2
Instruction ID: fec187d87e2e95275416d4a1a441fde0099fc6c3c242c4aca4187a1f635e769f
Opcode Fuzzy Hash: 796fdfcff8525e47f78b30f12535556afeb02742fa601c711aaa5094623918a2
Instruction Fuzzy Hash: C26189B25043459FCB10EF64C8459AEB3E8FF89314F04892EF99997251EB39E905CB92

Function 007DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00773AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00773A97,?,?,00772E7F,?,?,?,00000000), ref: 00773AC2

Part of subcall function 007DE199: GetFileAttributesW.KERNEL32(?,007DCF95), ref: 007DE19A

FindFirstFileW.KERNEL32(?,?), ref: 007DD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 007DD1DD
MoveFileW.KERNEL32(?,?), ref: 007DD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 007DD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 007DD237

Part of subcall function 007DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,007DD21C,?,?), ref: 007DD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 007DD253
FindClose.KERNEL32(00000000), ref: 007DD264

Strings

\*.*, xrefs: 007DD0CD, 007DD0D6, 007DD0EB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: bb72bc138fd33f63f2390399b29dfb2a4293c3d5e9e90df7bc458670f5034659
Instruction ID: f3c0802dbcd4b2c42183660b012f3e9a8021277171ae1253e2e093e210712990
Opcode Fuzzy Hash: bb72bc138fd33f63f2390399b29dfb2a4293c3d5e9e90df7bc458670f5034659
Instruction Fuzzy Hash: BD617A3180110DEACF15EBE0CE969EDB7B5BF55340F208166E40677292EB39AF09CB61

Function 007EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007EED91
EmptyClipboard.USER32 ref: 007EED97
GlobalAlloc.KERNEL32(00000002,?), ref: 007EEDAC
CloseClipboard.USER32 ref: 007EEEA3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: de33e5c5ec4bbdf3f9f2feae6ad852114a9528e9873ed5c9c70c87a214a91c78
Instruction ID: e63760534136eb5d7c10ce8a77f65d31d760ff2d90f5f164b6968d3be3c30789
Opcode Fuzzy Hash: de33e5c5ec4bbdf3f9f2feae6ad852114a9528e9873ed5c9c70c87a214a91c78
Instruction Fuzzy Hash: EB41AD35605651AFE720DF16D888B19BBE1FF49328F14C59DE4298B7A2C73AEC41CB90

Function 007DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007D170D
Part of subcall function 007D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007D173A
Part of subcall function 007D16C3: GetLastError.KERNEL32 ref: 007D174A

ExitWindowsEx.USER32(?,00000000), ref: 007DE932

Strings

SeShutdownPrivilege, xrefs: 007DE902
@, xrefs: 007DE925
, xrefs: 007DE95C
, xrefs: 007DE920

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c4b712ee22ab0e20a2d6c5edd98da93ab36a173f0cfda5cb361b321f8f2771b5
Instruction ID: b0d9b5910ddca9bb9106dd8409d7cc0b15386ac5da7363174e82bc49504f7381
Opcode Fuzzy Hash: c4b712ee22ab0e20a2d6c5edd98da93ab36a173f0cfda5cb361b321f8f2771b5
Instruction Fuzzy Hash: DB014972611211FBEB5537B49C9AFBF72BCAB04740F150923FC13E63D1D6A86C408191

Function 007F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007F1276
WSAGetLastError.WSOCK32 ref: 007F1283
bind.WSOCK32(00000000,?,00000010), ref: 007F12BA
WSAGetLastError.WSOCK32 ref: 007F12C5
closesocket.WSOCK32(00000000), ref: 007F12F4
listen.WSOCK32(00000000,00000005), ref: 007F1303
WSAGetLastError.WSOCK32 ref: 007F130D
closesocket.WSOCK32(00000000), ref: 007F133C

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: cb63b11330213168565563b9dcdbf3419caee956ef817add763f867068eaf866
Instruction ID: 91026d9904a340cfdd18b1ebc3e43969ba2f30b4d2292eb0819f4a6353e38505
Opcode Fuzzy Hash: cb63b11330213168565563b9dcdbf3419caee956ef817add763f867068eaf866
Instruction Fuzzy Hash: 55417E31A00144DFD710DF68C488B2ABBE6BF4A318F58C198E9569F392C775ED81CBA1

Function 007DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00773AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00773A97,?,?,00772E7F,?,?,?,00000000), ref: 00773AC2

Part of subcall function 007DE199: GetFileAttributesW.KERNEL32(?,007DCF95), ref: 007DE19A

FindFirstFileW.KERNEL32(?,?), ref: 007DD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 007DD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 007DD481
FindClose.KERNEL32(00000000), ref: 007DD498
FindClose.KERNEL32(00000000), ref: 007DD4A1

Strings

\*.*, xrefs: 007DD3F2

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 1a0467ce31bab99a367ebb16e91ecdef9e66d73a4d9d30595f46a79f1bdf572b
Instruction ID: 11526f727a4b8e9c22487943f2cf9f4046ed5cc4a2ce84b768f329768eff2cb8
Opcode Fuzzy Hash: 1a0467ce31bab99a367ebb16e91ecdef9e66d73a4d9d30595f46a79f1bdf572b
Instruction Fuzzy Hash: 98317271008385EBC711EF64C8558AFB7A8BE91344F448A1EF8D552291EB28AE09CB63

Function 007AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007AE645

Strings

1#IND, xrefs: 007AF83D
1#SNAN, xrefs: 007AF844
1#QNAN, xrefs: 007AF84B
1#INF, xrefs: 007AF852

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 33bfe45a3498e2abe06ffe6346a62e5ddeca2353feac05490825f4fac98e2ed1
Instruction ID: 32193dfb728ac0464d28c07fa17195057c046f568286918da5913870802bbf65
Opcode Fuzzy Hash: 33bfe45a3498e2abe06ffe6346a62e5ddeca2353feac05490825f4fac98e2ed1
Instruction Fuzzy Hash: 2FC22B71E046288FDF25CE68DD447EAB7B5EB8A305F1442EAD44DE7241E778AE818F40

Function 007E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007E64DC
CoInitialize.OLE32(00000000), ref: 007E6639
CoCreateInstance.OLE32(0080FCF8,00000000,00000001,0080FB68,?), ref: 007E6650
CoUninitialize.OLE32 ref: 007E68D4

Strings

.lnk, xrefs: 007E64BA, 007E6524, 007E65E0

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9ee5c1d9e730c36a2b743653336d36c5ab99c959a62dd8825841a13c8eed18f5
Instruction ID: c516a20549b97e52e320ab0f182db08301d96a4d530b278f80e35fc5527735a9
Opcode Fuzzy Hash: 9ee5c1d9e730c36a2b743653336d36c5ab99c959a62dd8825841a13c8eed18f5
Instruction Fuzzy Hash: 1DD16971608341AFC714DF24C885E6BB7E8FF99744F00892DF5998B2A1EB34E905CB92

Function 007F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007F22E8

Part of subcall function 007EE4EC: GetWindowRect.USER32(?,?), ref: 007EE504

GetDesktopWindow.USER32 ref: 007F2312
GetWindowRect.USER32(00000000), ref: 007F2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 007F2355
GetCursorPos.USER32(?), ref: 007F2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007F23DF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d48e937bc21c9056e9b23e1169a03b07d834be14906dbfe3efe74dc606575858
Instruction ID: 7cc106015b81cebd134179840ef682997a91e78b9428a279b81dcc805bf4c97b
Opcode Fuzzy Hash: d48e937bc21c9056e9b23e1169a03b07d834be14906dbfe3efe74dc606575858
Instruction Fuzzy Hash: 5431D2B25053199FD720DF54C849F6BBBA9FF84314F000A19F58597291D738E909CB92

Function 007E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 007E9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 007E9C8B

Part of subcall function 007E3874: GetInputState.USER32 ref: 007E38CB
Part of subcall function 007E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 007E9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 007E9C75

Strings

*.*, xrefs: 007E9B5D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: ee5cec09c8726f4fe944aba99259a20445969cd113856f11fc003f2ccd5f9b91
Instruction ID: c55e3d559e434c641fd6a5142bdd8580abb56d22fed711d98eabcaf09aba98bd
Opcode Fuzzy Hash: ee5cec09c8726f4fe944aba99259a20445969cd113856f11fc003f2ccd5f9b91
Instruction Fuzzy Hash: 43419372901249EFCF54EF75C849AEEBBB4FF09350F208155E509A21A1EB389E84CF60

Function 0078997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00789BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00789BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00789A4E
GetSysColor.USER32(0000000F), ref: 00789B23
SetBkColor.GDI32(?,00000000), ref: 00789B36

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0c83ffc8de4c5f736a94b6e85e56ae3dddbf25b22987b44d52d18552340eac0d
Instruction ID: 0f2ffde5a480ee9936db12ad1da6f424fe3aff49a5132d85cd5e2762690ca30b
Opcode Fuzzy Hash: 0c83ffc8de4c5f736a94b6e85e56ae3dddbf25b22987b44d52d18552340eac0d
Instruction Fuzzy Hash: 5BA1E970288404BEE72DBA2D8C5DE7B2A9DFB82350B19411DF602D6AD1CE2D9D41C777

Function 007F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007F307A
Part of subcall function 007F304E: _wcslen.LIBCMT ref: 007F309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007F185D
WSAGetLastError.WSOCK32 ref: 007F1884
bind.WSOCK32(00000000,?,00000010), ref: 007F18DB
WSAGetLastError.WSOCK32 ref: 007F18E6
closesocket.WSOCK32(00000000), ref: 007F1915

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c017e285b6897415edd7fcd5c06ab24b394b0b94d0ebe4984d172c9b7b693877
Instruction ID: 13d7210424d786a5be475e111d52e4d1a5427dee88adca2c7ea2b7cfeeb71cda
Opcode Fuzzy Hash: c017e285b6897415edd7fcd5c06ab24b394b0b94d0ebe4984d172c9b7b693877
Instruction Fuzzy Hash: 1851A171A40200EFDB10AF24C88AF2A77A5AB49758F58C458FA095F383D779AD418BE1

Function 00801C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00801CC0
IsWindowEnabled.USER32 ref: 00801CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00801CDB
IsIconic.USER32 ref: 00801CE9
IsZoomed.USER32 ref: 00801CF7

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ffbbd8ea7ff24cf025c27316e5a57a010d0658624eea86f1a27d9a6a1a4855bd
Instruction ID: 7df05fd7a84d7583c9196e4129bf13966c1f2054bae0b7cc482aa04c371b4ed0
Opcode Fuzzy Hash: ffbbd8ea7ff24cf025c27316e5a57a010d0658624eea86f1a27d9a6a1a4855bd
Instruction Fuzzy Hash: 752174317416119FEB618F2ACC88B5A7BA5FF95325F19805CE846CB291CB75DC42CB90

Function 00778060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0077843C
VUUU, xrefs: 007783FA
ERCP, xrefs: 0077813C
VUUU, xrefs: 007783E8
VUUU, xrefs: 007B5DF0

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ce9a5755f9934a1dd6293f1c8c316029e692b9b3b0a8f9cfb2aec64275074357
Instruction ID: 7b722643f08cfc26ce529c72a9efd195728d9c774cabfee4f0613edc51f3f499
Opcode Fuzzy Hash: ce9a5755f9934a1dd6293f1c8c316029e692b9b3b0a8f9cfb2aec64275074357
Instruction Fuzzy Hash: 62A2A170E4021ACBDF64CF58C8447EEB7B1BF54350F2481AAE919A7285EB789D81CF91

Function 007DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 007DAAAC
SetKeyboardState.USER32(00000080), ref: 007DAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 007DAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 007DAB88

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: aa56c107e099f6ca41b2db1c46f926cc68c0ba141bf470c0f1a88421b652c1ba
Instruction ID: 088aa0571c0ec065cef3e8054150d1879da7bd5128ff43b07525a2438c9cf0a4
Opcode Fuzzy Hash: aa56c107e099f6ca41b2db1c46f926cc68c0ba141bf470c0f1a88421b652c1ba
Instruction Fuzzy Hash: C931E5B0A40248BEEF358B648C09BFA7BB6BB45310F14431BF591567E1D37D8982C762

Function 007ABB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007ABB7F

Part of subcall function 007A29C8: HeapFree.KERNEL32(00000000,00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000), ref: 007A29DE
Part of subcall function 007A29C8: GetLastError.KERNEL32(00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000,00000000), ref: 007A29F0

GetTimeZoneInformation.KERNEL32 ref: 007ABB91
WideCharToMultiByte.KERNEL32(00000000,?,0084121C,000000FF,?,0000003F,?,?), ref: 007ABC09
WideCharToMultiByte.KERNEL32(00000000,?,00841270,000000FF,?,0000003F,?,?,?,0084121C,000000FF,?,0000003F,?,?), ref: 007ABC36

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 2814ca734f62c1f956017a42c05fae2f1a16be9ab13fcb83dcda6fe9fe8843c8
Instruction ID: e6a0741d947b56d78ad1c102bd8c8f083724ca9b8573ae50002d2860eefd0dc6
Opcode Fuzzy Hash: 2814ca734f62c1f956017a42c05fae2f1a16be9ab13fcb83dcda6fe9fe8843c8
Instruction Fuzzy Hash: 6E31CF70904215DFCF10DF69DC84829BBB8FF87720B1443AAE020D72A2D7749D80CB60

Function 007ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 007ECE89
GetLastError.KERNEL32(?,00000000), ref: 007ECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 007ECEFE

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 507df9e40709e1cbf1b09d7d1693ac41f540452b1e03ac9232cfae1a0b1bee4b
Instruction ID: 88516bd38c96d4f60530aa95eb11f9cb23e188cf147d0a1f475d48a2b75c883c
Opcode Fuzzy Hash: 507df9e40709e1cbf1b09d7d1693ac41f540452b1e03ac9232cfae1a0b1bee4b
Instruction Fuzzy Hash: 7421EDB5501305EFEB31DFA6C949BAA77F8EB04308F10441EE542D2151E778EE068B60

Function 007D8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007D82AA

Strings

|, xrefs: 007D82DA
(, xrefs: 007D82F0

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: df24e07e3f187d93d71178a692b53298b0708f5eac2be7d8c5dc79030ad011bc
Instruction ID: 9a394721710f8011ad78773de3f6a096c76015688b208edf407c70a6bdfaca06
Opcode Fuzzy Hash: df24e07e3f187d93d71178a692b53298b0708f5eac2be7d8c5dc79030ad011bc
Instruction Fuzzy Hash: 4B323474A00605DFCB68CF59C481A6AB7F0FF48720B15C56EE59ADB3A1EB74E981CB40

Function 007E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007E5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 007E5D17
FindClose.KERNEL32(?), ref: 007E5D5F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: d96c498d8ffe2b3421274251442edc167946c21fcb96f50cff313e167a12f410
Instruction ID: 35e3e070b59b874784e12679afb33cee646d25d14fec2bb47d3636b4a16518c5
Opcode Fuzzy Hash: d96c498d8ffe2b3421274251442edc167946c21fcb96f50cff313e167a12f410
Instruction Fuzzy Hash: B351BB34700A45DFC714DF28C898A9AB7E4FF49318F14855DE95A8B3A2CB34EC04CB91

Function 007A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 007A271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007A2724
UnhandledExceptionFilter.KERNEL32(?), ref: 007A2731

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2fe815d9ace5485f4db4c568e0b10314b5070eb31e5ebc3e9abfb96127098be5
Instruction ID: 88aea5a920ed7fd4dcf9bf7df36171613ebe0f99ccf827d4946cadb20cb82316
Opcode Fuzzy Hash: 2fe815d9ace5485f4db4c568e0b10314b5070eb31e5ebc3e9abfb96127098be5
Instruction Fuzzy Hash: 8D31B574911218ABCB21DF68DD897DDB7B8BF48310F5042EAE81CA7261E7349F818F85

Function 007E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007E51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007E5238
SetErrorMode.KERNEL32(00000000), ref: 007E52A1

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: eecbe59f8745f6be198b0a71d0a4260cbc43071b882a1b2abb0abdfdbc5f26ef
Instruction ID: 19fba6b5f5310e2cabc4c660df82b1e41daa7955fe4480f8dcb78115470dc7ac
Opcode Fuzzy Hash: eecbe59f8745f6be198b0a71d0a4260cbc43071b882a1b2abb0abdfdbc5f26ef
Instruction Fuzzy Hash: 2E316F75A00518DFDB00DF54D888EADBBB4FF49318F088099E909AB3A2DB75EC55CB90

Function 007D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0078FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00790668
Part of subcall function 0078FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00790685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007D170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007D173A
GetLastError.KERNEL32 ref: 007D174A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 1b661a53df130a775b73bb2068fcf5534da728973876c933286d839115ef8876
Instruction ID: 9768d3f498b598904d844bc638a89e57c20c6a8933ed48b6c62e7f8233b7e141
Opcode Fuzzy Hash: 1b661a53df130a775b73bb2068fcf5534da728973876c933286d839115ef8876
Instruction Fuzzy Hash: 1F11CEB2500304FFE718AF64DC8AD6AB7BDFB04724B20852EE45653251EB74FC418B20

Function 007DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007DD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007DD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007DD650

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c31bfb8189296eefe5013de9839aaf19fe884a1e982656f580255a5d79976d7e
Instruction ID: 9ec30f679d8cb9621298e28dbbb4ba91d868d00728c851dd2f971775001fab9a
Opcode Fuzzy Hash: c31bfb8189296eefe5013de9839aaf19fe884a1e982656f580255a5d79976d7e
Instruction Fuzzy Hash: E8113C75E05228BBDB208F959C45FAFBBBCEB45B50F108156F904E7290D6704A058BA1

Function 007D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007D168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007D16A1
FreeSid.ADVAPI32(?), ref: 007D16B1

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 132b976d905c7c7d2de28b71a2b3e0fe06504ee5f7f4b9fff2275ec940592dc8
Instruction ID: 7ac602e33bc6fc5038912e592f0ecbd422c98b01465d0e14a7f373b2a0f8a79b
Opcode Fuzzy Hash: 132b976d905c7c7d2de28b71a2b3e0fe06504ee5f7f4b9fff2275ec940592dc8
Instruction Fuzzy Hash: CDF0F471950309FBEB00DFE49D89AAEBBBCFB08604F504565E501E2191E774AA448A50

Function 007CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 007CD28C

Strings

X64, xrefs: 007CD2A8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 4f2dd2382df50f041a3a1e1a99680fdb7db93652cddee2815ad2e8e8e2993acb
Instruction ID: c5a18f7d6e471bae7683406e08003868c1686141ff356db6e313305c3c698532
Opcode Fuzzy Hash: 4f2dd2382df50f041a3a1e1a99680fdb7db93652cddee2815ad2e8e8e2993acb
Instruction Fuzzy Hash: 1DD0C9B480111DEACBA4DB90DC88DD9B37CBB14305F100255F106A2040D77499498F10

Function 0079CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 54247c3eaf9ff897dccf8c64f75ce06650fb3a71284fb38b300ef02322b9ca39
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C9022D72E002199FDF15CFA9D9806ADFBF2EF48314F258169D919E7380D734AA41CB94

Function 007E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007E6918
FindClose.KERNEL32(00000000), ref: 007E6961

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b8c400d0cb0d88cebaeaa020ca6bfce528e933ede019c22cff1a236ecabe5e39
Instruction ID: 2f0a9e59026c09054a54eb839f3ecd246e0a586f9f04a8f7450144a64e22a9b5
Opcode Fuzzy Hash: b8c400d0cb0d88cebaeaa020ca6bfce528e933ede019c22cff1a236ecabe5e39
Instruction Fuzzy Hash: E3119071604240DFC710DF2AD488A1ABBE5FF89368F14C69DE4698F6A2C734EC05CB91

Function 007E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007F4891,?,?,00000035,?), ref: 007E37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,007F4891,?,?,00000035,?), ref: 007E37F4

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9199f3a3c31bd9c28d160604a76cf5ee810e01c33e26d51cbcf038a7792e5e0e
Instruction ID: 407a571b32b112123c05e59cbe824d24369b6c49a421917590e97836f4958578
Opcode Fuzzy Hash: 9199f3a3c31bd9c28d160604a76cf5ee810e01c33e26d51cbcf038a7792e5e0e
Instruction Fuzzy Hash: F7F0EC706062146ADB5017774C4DFEB369DEFC5761F000265F509D3281D5705904C6B0

Function 007DB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007DB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 007DB270

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 950d3c8c933447bd2fb7ead48fbf3019a12642244d8639e844c75e69ec4abef6
Instruction ID: f50181683ae1a591a897f58c0c2af2c72a7f97155275761762028c4ffcddf641
Opcode Fuzzy Hash: 950d3c8c933447bd2fb7ead48fbf3019a12642244d8639e844c75e69ec4abef6
Instruction Fuzzy Hash: 17F01D7580424DABDB159FA4C805BAE7BB4FF08305F00810AF955A5191C37996119F94

Function 007D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007D11FC), ref: 007D10D4
CloseHandle.KERNEL32(?,?,007D11FC), ref: 007D10E9

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 8e02c5439552a6ddceab26bacc49ce79665ce723cf8d11ab1bea93a08c878b90
Instruction ID: adcda808a0847f733c3bb81c1ffd09e3615e639bf269af3cb21a142a445511a4
Opcode Fuzzy Hash: 8e02c5439552a6ddceab26bacc49ce79665ce723cf8d11ab1bea93a08c878b90
Instruction Fuzzy Hash: 62E04F32014600EEE7252F11FC09E7377A9FB04320B10C92EF5A5805B1DB626CA0DB50

Function 0077CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 007C0C40

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 2193dad157f278a7082bcf5bd9904283443fd98e95c993c9185510814a57b031
Instruction ID: deebdccae55104350cfb2c0d9393a9ad140829d3c8faaef6c5f3e2bbf2f07a37
Opcode Fuzzy Hash: 2193dad157f278a7082bcf5bd9904283443fd98e95c993c9185510814a57b031
Instruction Fuzzy Hash: E4328E71A00218DBDF15DF94C885FEDB7B5BF09384F14805DE80AAB292D779AE45CBA0

Function 007A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007A6766,?,?,00000008,?,?,007AFEFE,00000000), ref: 007A6998

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b402e8b4dbc5fe782faabee3b668a960aee1296c03cb3398db165650e31b8e23
Instruction ID: ff9d3c2095d23d0da3bdf40916cf5af39752f9613b1737ddc635224f258be193
Opcode Fuzzy Hash: b402e8b4dbc5fe782faabee3b668a960aee1296c03cb3398db165650e31b8e23
Instruction Fuzzy Hash: 62B12B71610608DFD715CF28C48AB657BE0FF86364F29C658E899CF2A2C739E991CB40

Function 0078B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 007C851F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b0c50d67f4ea1f47d16c4e6cd450b8e51d16f5b259febd754dd60e8656716acf
Instruction ID: 6cd5ffb486829c4b9f95af74133d03f9ffa2958cf18072ffae944e25276d10a4
Opcode Fuzzy Hash: b0c50d67f4ea1f47d16c4e6cd450b8e51d16f5b259febd754dd60e8656716acf
Instruction Fuzzy Hash: 04125071900229DBDB54DF58C881BEEB7B5FF48710F14819AE849EB251EB389E81CB91

Function 007EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 007EEABD

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 44e1322c73f36061e2ca0c0ee339d5d8c347fdc9f3e4c97136b3a64546e20eed
Instruction ID: 74e996d840eb88130fa38242e993d593b01982c045f6910cc197a76ff7a26a7f
Opcode Fuzzy Hash: 44e1322c73f36061e2ca0c0ee339d5d8c347fdc9f3e4c97136b3a64546e20eed
Instruction Fuzzy Hash: 58E012312002049FC710DF5AD404E9AB7D9AF5D764F00C42AFC49C7251D774A8408B90

Function 007909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007903EE), ref: 007909DA

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0d9421b3012b20b8571bbe58977ab34fe9e7ae95151af2f082218ed29fe4a875
Instruction ID: 2867f559ad3347b6e0546ba3bc7d93f374d6d91c4688a7b15db93bd91f62d494
Opcode Fuzzy Hash: 0d9421b3012b20b8571bbe58977ab34fe9e7ae95151af2f082218ed29fe4a875
Instruction Fuzzy Hash:

Function 0079781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0079798B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: bbc6717c0279f82ae811f8d9ca7b4640c194556818c7da50703440b58bae0c52
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4351677163CB059BDF3C8568B89EFBE2399DB12354F180509D886DB382C61DEE42D356

Function 007A6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a274c278f6aba9a2d4b853ac854f8c58c1b0b6dfb5bef63429d989dcf980782
Instruction ID: c22aa643e5bacfa193eff62276908a1fb77ee72892ea52d7ca9058765ab6ddcc
Opcode Fuzzy Hash: 7a274c278f6aba9a2d4b853ac854f8c58c1b0b6dfb5bef63429d989dcf980782
Instruction Fuzzy Hash: B1322122D29F414DD7279634DC22336A68DAFF73C5F15D737E81AB59AAEB28C4938100

Function 0078CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5256053b0664a88cee0a32f621d63cc6c1ca5eca534bb04926f13aa0bbf63eec
Instruction ID: 29ea4fffee971f8fbe7da4bc80971ae97af5c461c628d1c2d294b46dae169347
Opcode Fuzzy Hash: 5256053b0664a88cee0a32f621d63cc6c1ca5eca534bb04926f13aa0bbf63eec
Instruction Fuzzy Hash: 55320531A001158BDF2ADF28C494F7D7BA1EB45310F28856ED88EDB291E63CDD81DB61

Function 00777920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5654f741648d8b02bbd1b07e5cf9b2704cb4ad89a489f7c1bf46ff9bfe95b90f
Instruction ID: f564e91a36d22469990647e63ff1efdcf5c3fbb9776e140e6d7fd4cc90b3c276
Opcode Fuzzy Hash: 5654f741648d8b02bbd1b07e5cf9b2704cb4ad89a489f7c1bf46ff9bfe95b90f
Instruction Fuzzy Hash: 7222AFB0A04609DFDF14DF68D885BEEB7F5FF48344F148529E816A7291EB3AA910CB50

Function 007791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407f6cc3f40fe7b5a7a6bd3c0fb5c08e66364043b1c25d48f8866d8833a3307f
Instruction ID: e2518ee70925ade70c242c21e589bcdc286d7220707325bba3c1be7675b8aeb3
Opcode Fuzzy Hash: 407f6cc3f40fe7b5a7a6bd3c0fb5c08e66364043b1c25d48f8866d8833a3307f
Instruction Fuzzy Hash: 2F02A5B1A00105EBDF04DF64D885BEEB7B5FF44340F11C569E91A9B391EB39AA20CB91

Function 007A9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db021306606ce5d0407dca5239d6c589d85dd3078a5d4b93b8e2d1a3b3cc574
Instruction ID: 61073412042a7dcf9ea33fbcc705d75f0f1bf5343df2ecee34581cd3a99a5507
Opcode Fuzzy Hash: 5db021306606ce5d0407dca5239d6c589d85dd3078a5d4b93b8e2d1a3b3cc574
Instruction Fuzzy Hash: D6B1E220D2AF414DD62396399831336FA5CBFBB6D5F51D71BFC2674E22EB2286834240

Function 00791C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: bae471f7b23c86590c4599ef9b8c61b2a467e60d690e75497a711415ec86848b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F69167722090E34ADF2D463AA57403DFFE15A523B239A079DD4F2CA1C5EE28D974D620

Function 00791F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 43c517424b5e9dc2af918973723e0c6d5d7b452cea85588fb8c7f406f8da169e
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 8E91A7722090E71ADF6D523D943403EFFE25A923A131A079DD4F2CB1C6EE28D975E620

Function 007919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 67c05da60618c2a8819f536cc7e8d3b8c96ee1106dc302923987b0de03127d8e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D69145722090E34ADF2D467AA57403DFFE19A923B239A479ED4F2CA1C1FD18D974D620

Function 00797A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e878ff7ea552e4f3a6ad2fb2728ddd596c7592c16a7059b5417c39ae22242617
Instruction ID: 0cb573845e6bdb3e4b02bcc08c2bd3de7182cbf8e5f2dc9cc0f17d4253bdbea7
Opcode Fuzzy Hash: e878ff7ea552e4f3a6ad2fb2728ddd596c7592c16a7059b5417c39ae22242617
Instruction Fuzzy Hash: 6B615AB123874996DE3C9A2CBC99BBE2399DF42700F14491EE843DB291D61DDE42C366

Function 00797CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d1cb0ba5612b95c97a191729363db86f2a10cfff42c09ee167d0e4acf5dcc9
Instruction ID: bc025f1421aa522eba2931eba4b6303f3bb61638263d75d54842119dd10d4196
Opcode Fuzzy Hash: 21d1cb0ba5612b95c97a191729363db86f2a10cfff42c09ee167d0e4acf5dcc9
Instruction Fuzzy Hash: 8261697173870997DE3C8A28B896BBF2398EF42704F140959E942DF281DA1EAD42C356

Function 00791706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 7dd0b8290f7901e23f04b3e0d017817e44dc13fd5e36adb60443b68bbc2f87d8
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: C08175726090E309DF6D827A953443EFFE15A923B139A079DD4F2CB1C1EE28D574E620

Function 007E2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea759e5e20309b77f83167937538d89e78c7f138210c37d98eb0e7ce2865dd3
Instruction ID: a64c7e88e21904419815aad5a560ceb8907c9396121028336d8d5e71c4f9be7d
Opcode Fuzzy Hash: 0ea759e5e20309b77f83167937538d89e78c7f138210c37d98eb0e7ce2865dd3
Instruction Fuzzy Hash: 3321A8326216558BDB28CF79C81267A73E9B764310F55862EE4A7C37D1DE39A904CB80

Function 007F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007F2B30
DeleteObject.GDI32(00000000), ref: 007F2B43
DestroyWindow.USER32 ref: 007F2B52
GetDesktopWindow.USER32 ref: 007F2B6D
GetWindowRect.USER32(00000000), ref: 007F2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 007F2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 007F2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007F2CF8
GetClientRect.USER32(00000000,?), ref: 007F2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007F2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007F2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007F2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007F2D80
GlobalLock.KERNEL32(00000000), ref: 007F2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007F2D98
GlobalUnlock.KERNEL32(00000000), ref: 007F2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007F2DA8
GlobalFree.KERNEL32(00000000), ref: 007F2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007F2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0080FC38,00000000), ref: 007F2DDB
GlobalFree.KERNEL32(00000000), ref: 007F2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 007F2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 007F2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007F2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007F303F

Strings

AutoIt v3, xrefs: 007F2CF2
static, xrefs: 007F2D3A, 007F2E91
DISPLAY, xrefs: 007F2EA2
, xrefs: 007F2FC5

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c39ad04bca326d5105c9ba4d78efadcb4ca7fde5d8e88ebc5da9d321ee0b4f55
Instruction ID: 35a2e150b449eacb6cc4e1921681956e93e9c60fd27873c79a97a7bdccca3a53
Opcode Fuzzy Hash: c39ad04bca326d5105c9ba4d78efadcb4ca7fde5d8e88ebc5da9d321ee0b4f55
Instruction Fuzzy Hash: 52026C75500208EFDB14DFA4CC89EAE7BB9FF49714F108658F915AB2A1DB78AD01CB60

Function 008070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0080712F
GetSysColorBrush.USER32(0000000F), ref: 00807160
GetSysColor.USER32(0000000F), ref: 0080716C
SetBkColor.GDI32(?,000000FF), ref: 00807186
SelectObject.GDI32(?,?), ref: 00807195
InflateRect.USER32(?,000000FF,000000FF), ref: 008071C0
GetSysColor.USER32(00000010), ref: 008071C8
CreateSolidBrush.GDI32(00000000), ref: 008071CF
FrameRect.USER32(?,?,00000000), ref: 008071DE
DeleteObject.GDI32(00000000), ref: 008071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00807230
FillRect.USER32(?,?,?), ref: 00807262
GetWindowLongW.USER32(?,000000F0), ref: 00807284

Part of subcall function 008073E8: GetSysColor.USER32(00000012), ref: 00807421
Part of subcall function 008073E8: SetTextColor.GDI32(?,?), ref: 00807425
Part of subcall function 008073E8: GetSysColorBrush.USER32(0000000F), ref: 0080743B
Part of subcall function 008073E8: GetSysColor.USER32(0000000F), ref: 00807446
Part of subcall function 008073E8: GetSysColor.USER32(00000011), ref: 00807463
Part of subcall function 008073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00807471
Part of subcall function 008073E8: SelectObject.GDI32(?,00000000), ref: 00807482
Part of subcall function 008073E8: SetBkColor.GDI32(?,00000000), ref: 0080748B
Part of subcall function 008073E8: SelectObject.GDI32(?,?), ref: 00807498
Part of subcall function 008073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008074B7
Part of subcall function 008073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008074CE
Part of subcall function 008073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008074DB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 10867c618a9724f77130ed4e358c1f2e0940a5cd9040a69085e2ec9ee31db803
Instruction ID: 5b588643880dbd92201986937914fbb35878da46059bfd83af5b6c87c0735079
Opcode Fuzzy Hash: 10867c618a9724f77130ed4e358c1f2e0940a5cd9040a69085e2ec9ee31db803
Instruction Fuzzy Hash: 53A19F72408301AFDB919F64DC48E6BBBA9FF89320F100B19F962D61E1D771E944CB91

Function 00788D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00788E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 007C6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007C6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 007C6F43

Part of subcall function 00788F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00788BE8,?,00000000,?,?,?,?,00788BBA,00000000,?), ref: 00788FC5

SendMessageW.USER32(?,00001053), ref: 007C6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007C6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 007C6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 007C6FB7

Strings

0, xrefs: 007C6DCF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 66cf42454b1fae0c2c24195d5e07ad61c2c49e19190b33ed7a18875f5d9441c1
Instruction ID: 97424c2011703f250fe9d0bf908cb886a9c7ac78c14adc40cb6908c11cb57a9a
Opcode Fuzzy Hash: 66cf42454b1fae0c2c24195d5e07ad61c2c49e19190b33ed7a18875f5d9441c1
Instruction Fuzzy Hash: E012AD34204201EFDB65DF24C888FA5BBE5FB49300F54456DF5958B261CB39EC92DB92

Function 007F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007F273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007F286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007F28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007F28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 007F2900
GetClientRect.USER32(00000000,?), ref: 007F290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 007F2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007F2964
GetStockObject.GDI32(00000011), ref: 007F2974
SelectObject.GDI32(00000000,00000000), ref: 007F2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 007F2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007F2991
DeleteDC.GDI32(00000000), ref: 007F299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007F29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007F29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 007F2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007F2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 007F2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 007F2A77
GetStockObject.GDI32(00000011), ref: 007F2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007F2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 007F2A97

Strings

msctls_progress32, xrefs: 007F2A13
AutoIt v3, xrefs: 007F28F8
static, xrefs: 007F294F, 007F2A71
DISPLAY, xrefs: 007F295A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 280e1a9f143677348e543e0f297af71bee70b016b7f9e9201064718ae5b10946
Instruction ID: 66fdf088174a9eb64b21e2adaee694abf0867a85c05eaa3550820dfb61edc920
Opcode Fuzzy Hash: 280e1a9f143677348e543e0f297af71bee70b016b7f9e9201064718ae5b10946
Instruction Fuzzy Hash: C6B15D75A40209AFEB14DF68CC49FAE7BA9FB08714F108214FA14E7291D778ED41CBA0

Function 007E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007E4AED
GetDriveTypeW.KERNEL32(?,0080CB68,?,\\.\,0080CC08), ref: 007E4BCA
SetErrorMode.KERNEL32(00000000,0080CB68,?,\\.\,0080CC08), ref: 007E4D36

Strings

CDROM, xrefs: 007E4BFB
SCSI, xrefs: 007E4C8A
Unknown, xrefs: 007E4BED, 007E4C83
ATAPI, xrefs: 007E4C91
RAMDisk, xrefs: 007E4BF4
PhysicalDrive, xrefs: 007E4B76
Fibre, xrefs: 007E4CAD
USB, xrefs: 007E4CB4
Removable, xrefs: 007E4C10, 007E4C15
Fixed, xrefs: 007E4C09
SSA, xrefs: 007E4CA6
iSCSI, xrefs: 007E4CC2
Virtual, xrefs: 007E4CE5
Network, xrefs: 007E4C02
SATA, xrefs: 007E4CD0
1394, xrefs: 007E4C9F
FileBackedVirtual, xrefs: 007E4CEC
RAID, xrefs: 007E4CBB
\\.\, xrefs: 007E4B3F
ATA, xrefs: 007E4C98
SSD, xrefs: 007E4C4A
SAS, xrefs: 007E4CC9
MMC, xrefs: 007E4CDE

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5ff293b4774a9ec60ecd7dbe1af2789cb8ee6ee8983fd6e346330a23cc0b9473
Instruction ID: 12d63bda0b6af932f943cb2967600e631384710c7bd24221456a2c5c50de8647
Opcode Fuzzy Hash: 5ff293b4774a9ec60ecd7dbe1af2789cb8ee6ee8983fd6e346330a23cc0b9473
Instruction Fuzzy Hash: 48619030606145EBCB14DF29C99596877F0FB48344B348415E80AEB7A1EB2EED61DBA1

Function 008073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00807421
SetTextColor.GDI32(?,?), ref: 00807425
GetSysColorBrush.USER32(0000000F), ref: 0080743B
GetSysColor.USER32(0000000F), ref: 00807446
CreateSolidBrush.GDI32(?), ref: 0080744B
GetSysColor.USER32(00000011), ref: 00807463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00807471
SelectObject.GDI32(?,00000000), ref: 00807482
SetBkColor.GDI32(?,00000000), ref: 0080748B
SelectObject.GDI32(?,?), ref: 00807498
InflateRect.USER32(?,000000FF,000000FF), ref: 008074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0080752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00807554
InflateRect.USER32(?,000000FD,000000FD), ref: 00807572
DrawFocusRect.USER32(?,?), ref: 0080757D
GetSysColor.USER32(00000011), ref: 0080758E
SetTextColor.GDI32(?,00000000), ref: 00807596
DrawTextW.USER32(?,008070F5,000000FF,?,00000000), ref: 008075A8
SelectObject.GDI32(?,?), ref: 008075BF
DeleteObject.GDI32(?), ref: 008075CA
SelectObject.GDI32(?,?), ref: 008075D0
DeleteObject.GDI32(?), ref: 008075D5
SetTextColor.GDI32(?,?), ref: 008075DB
SetBkColor.GDI32(?,?), ref: 008075E5

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: cd426a89fd19bbc74a330aca215135180c50970c71e95458e728340c3540d7fb
Instruction ID: 57e34eb87f5cadc776367206afbc66a490d994367961e4114a4a1192f1ef62a9
Opcode Fuzzy Hash: cd426a89fd19bbc74a330aca215135180c50970c71e95458e728340c3540d7fb
Instruction Fuzzy Hash: C2616A76D00218AFDF419FA4DC49AEEBFB9FB09320F104215F911AB2E1D775A940CB90

Function 00800FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00801128
GetDesktopWindow.USER32 ref: 0080113D
GetWindowRect.USER32(00000000), ref: 00801144
GetWindowLongW.USER32(?,000000F0), ref: 00801199
DestroyWindow.USER32(?), ref: 008011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0080120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0080121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00801232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00801245
IsWindowVisible.USER32(00000000), ref: 008012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008012D0
GetWindowRect.USER32(00000000,?), ref: 008012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0080130E
GetMonitorInfoW.USER32(00000000,?), ref: 00801328
CopyRect.USER32(?,?), ref: 0080133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008013AA

Strings

0, xrefs: 008010D3
tooltips_class32, xrefs: 008011E6
(, xrefs: 0080131B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 84c5f7382b1683a4cad4fd94419c82cb738b9ff2360b3ef60ba2d82cbb0bd49b
Instruction ID: 3e839ffb404641be33d3131fbd47f3945fb93d086afd31b731b8d07156e46486
Opcode Fuzzy Hash: 84c5f7382b1683a4cad4fd94419c82cb738b9ff2360b3ef60ba2d82cbb0bd49b
Instruction Fuzzy Hash: 63B15971604341AFDB94DF64C888B6ABBE4FF88754F00891CF999DB2A1C771E844CB92

Function 00788891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00788968
GetSystemMetrics.USER32(00000007), ref: 00788970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0078899B
GetSystemMetrics.USER32(00000008), ref: 007889A3
GetSystemMetrics.USER32(00000004), ref: 007889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00788A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00788A3C
GetClientRect.USER32(00000000,000000FF), ref: 00788A5A
GetStockObject.GDI32(00000011), ref: 00788A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00788A81

Part of subcall function 0078912D: GetCursorPos.USER32(?), ref: 00789141
Part of subcall function 0078912D: ScreenToClient.USER32(00000000,?), ref: 0078915E
Part of subcall function 0078912D: GetAsyncKeyState.USER32(00000001), ref: 00789183
Part of subcall function 0078912D: GetAsyncKeyState.USER32(00000002), ref: 0078919D

SetTimer.USER32(00000000,00000000,00000028,007890FC), ref: 00788AA8

Strings

AutoIt v3 GUI, xrefs: 00788A20

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 36e30e181e56dfe98fa13edcd6db07132933d610a7c6145df4718db5b38f20ba
Instruction ID: 3b10b8045955d7166ac45249b7cad169c65746cf4ab8eb3263a38b0a53a20adf
Opcode Fuzzy Hash: 36e30e181e56dfe98fa13edcd6db07132933d610a7c6145df4718db5b38f20ba
Instruction Fuzzy Hash: 19B14C75A40209DFDF54EFA8CC89BAE7BB5FB48314F104229FA15A7290DB78A841CB51

Function 007D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007D1114
Part of subcall function 007D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007D0B9B,?,?,?), ref: 007D1120
Part of subcall function 007D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007D0B9B,?,?,?), ref: 007D112F
Part of subcall function 007D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007D0B9B,?,?,?), ref: 007D1136
Part of subcall function 007D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007D0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007D0E29
GetLengthSid.ADVAPI32(?), ref: 007D0E40
GetAce.ADVAPI32(?,00000000,?), ref: 007D0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007D0E96
GetLengthSid.ADVAPI32(?), ref: 007D0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007D0EB5
HeapAlloc.KERNEL32(00000000), ref: 007D0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007D0EDD
CopySid.ADVAPI32(00000000), ref: 007D0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007D0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007D0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007D0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007D0F6E
HeapFree.KERNEL32(00000000), ref: 007D0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007D0F7E
HeapFree.KERNEL32(00000000), ref: 007D0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007D0F8E
HeapFree.KERNEL32(00000000), ref: 007D0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 007D0FA1
HeapFree.KERNEL32(00000000), ref: 007D0FA8

Part of subcall function 007D1193: GetProcessHeap.KERNEL32(00000008,007D0BB1,?,00000000,?,007D0BB1,?), ref: 007D11A1
Part of subcall function 007D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007D0BB1,?), ref: 007D11A8
Part of subcall function 007D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007D0BB1,?), ref: 007D11B7

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7068d5ce7a680f29f5d1bce46414f79334c44f7a9b12e8a5a72f51412f40348e
Instruction ID: ea6f97fd91a3e65173850e4d37a45e2d15176cdaf7ba0c73c06b97f63251abe0
Opcode Fuzzy Hash: 7068d5ce7a680f29f5d1bce46414f79334c44f7a9b12e8a5a72f51412f40348e
Instruction Fuzzy Hash: FD715C7290020AEFDF209FA5DC48FEEBBB8BF04310F144216F959E6291D7759A05CBA0

Function 007FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007FC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0080CC08,00000000,?,00000000,?,?), ref: 007FC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 007FC5A4
_wcslen.LIBCMT ref: 007FC5F4
_wcslen.LIBCMT ref: 007FC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 007FC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 007FC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 007FC84D
RegCloseKey.ADVAPI32(?), ref: 007FC881
RegCloseKey.ADVAPI32(00000000), ref: 007FC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 007FC960

Strings

REG_EXPAND_SZ, xrefs: 007FC5CD
REG_MULTI_SZ, xrefs: 007FC6F5
REG_QWORD, xrefs: 007FC8C3
REG_BINARY, xrefs: 007FC913
REG_SZ, xrefs: 007FC644
REG_DWORD, xrefs: 007FC804

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 439b87d6c5499ee1d6bc4fb790c807d9dfb675d4a9a4e2f3a47da4b927d2c65b
Instruction ID: 3a7e788c19517eb1a8289c5f9170a150c551bca6f1724d8e96dc6f597e4e7115
Opcode Fuzzy Hash: 439b87d6c5499ee1d6bc4fb790c807d9dfb675d4a9a4e2f3a47da4b927d2c65b
Instruction Fuzzy Hash: E8126735204205DFDB15DF24C985A2AB7E5FF88754F14889CF98A9B3A2DB39EC41CB81

Function 0080091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008009C6
_wcslen.LIBCMT ref: 00800A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00800A54
_wcslen.LIBCMT ref: 00800A8A
_wcslen.LIBCMT ref: 00800B06
_wcslen.LIBCMT ref: 00800B81

Part of subcall function 0078F9F2: _wcslen.LIBCMT ref: 0078F9FD

Part of subcall function 007D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007D2BFA

Strings

ISCHECKED, xrefs: 00800CE1
UNCHECK, xrefs: 00800D3E
EXPAND, xrefs: 00800BF8
GETITEMCOUNT, xrefs: 00800C1E
CHECK, xrefs: 00800A85, 00800AA0
GETTEXT, xrefs: 00800C97
GETSELECTED, xrefs: 00800C4E
SELECT, xrefs: 00800D11
EXISTS, xrefs: 00800B7C, 00800B97
COLLAPSE, xrefs: 00800B01, 00800B1C
GETTOTALCOUNT, xrefs: 008009F2, 00800A17

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: e2bf9d367c66704325e0002503f68f77a609ac8f6fe86c021bd13bdca1b4a108
Instruction ID: a23d0117675603bb69b19a54bc65792c7bdddbd5987710b37f089e080e44a49f
Opcode Fuzzy Hash: e2bf9d367c66704325e0002503f68f77a609ac8f6fe86c021bd13bdca1b4a108
Instruction Fuzzy Hash: 76E156312087019FCB54DF24C850A2AB7E1FF99358F14895DE89A9B3A2DB34ED46CB91

Function 007FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007FB6AE,?,?), ref: 007FC9B5
_wcslen.LIBCMT ref: 007FC9F1
_wcslen.LIBCMT ref: 007FCA68
_wcslen.LIBCMT ref: 007FCA9E
_wcslen.LIBCMT ref: 007FCAF9
_wcslen.LIBCMT ref: 007FCB2F
_wcslen.LIBCMT ref: 007FCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 007FCB79, 007FCB7E
HKEY_LOCAL_MACHINE, xrefs: 007FCA62, 007FCA67
HKLM, xrefs: 007FCA98, 007FCA9D
HKCC, xrefs: 007FCBAC
HKCU, xrefs: 007FCBCE
HKU, xrefs: 007FCBF0
HKEY_CLASSES_ROOT, xrefs: 007FCAF3, 007FCAF8
HKEY_CURRENT_USER, xrefs: 007FCBBD
HKCR, xrefs: 007FCB29, 007FCB2E
HKEY_USERS, xrefs: 007FCBDF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: cf90f65d624dcc8f04d9d2176dc79da4c3ba65a93b8f3256e8932df5c123546b
Instruction ID: bc3f31adf92fa87f1ef56f6b62b2eb8d9630760c887dde9f381cde98f29fd354
Opcode Fuzzy Hash: cf90f65d624dcc8f04d9d2176dc79da4c3ba65a93b8f3256e8932df5c123546b
Instruction Fuzzy Hash: EC71D57260052E8BCF22DE7CCE515BA3391AFA0764F254524FA66D7384E63DED45C3A0

Function 0080833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0080835A
_wcslen.LIBCMT ref: 0080836E
_wcslen.LIBCMT ref: 00808391
_wcslen.LIBCMT ref: 008083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0080361A,?), ref: 0080844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00808487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00808501
FreeLibrary.KERNEL32(?), ref: 0080850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0080851D
DestroyIcon.USER32(?), ref: 0080852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00808549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00808555

Strings

.icl, xrefs: 00808368
.dll, xrefs: 008083AB
.exe, xrefs: 00808388

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 94c98fa531935311e776455c8d626348c95e68aa574f25919906cc86d51d2e26
Instruction ID: 1a01a232b516ac254929101abcd60dc5e8e113d23f317a133f3486ad770b01c6
Opcode Fuzzy Hash: 94c98fa531935311e776455c8d626348c95e68aa574f25919906cc86d51d2e26
Instruction Fuzzy Hash: 9561F071500619FEEB64CF64DC85FBE77A8FB08B21F104609F855E61D1DB78A980CBA0

Function 00777778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 007B528C
#OnAutoItStartRegister, xrefs: 00777817
#pragma compile, xrefs: 007777D3
#include-once, xrefs: 0077782F
#requireadmin, xrefs: 007777FF
#cs, xrefs: 00777873, 007778C5
#notrayicon, xrefs: 007777E7
#comments-end, xrefs: 007778D9
#ce, xrefs: 007778ED
Cannot parse #include, xrefs: 007B5279
', xrefs: 007B5169
#include, xrefs: 00777847
", xrefs: 007B5153
#comments-start, xrefs: 0077785F, 007778B1
Bad directive syntax error, xrefs: 007B519A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 009af28bd7ab9484468a1c2346b9f268df77f3ec11dbffe07e1409ff592228aa
Instruction ID: d826c952a40948d24d38808b124c27bb937b2f2f58018de56f22452bdecf56b6
Opcode Fuzzy Hash: 009af28bd7ab9484468a1c2346b9f268df77f3ec11dbffe07e1409ff592228aa
Instruction Fuzzy Hash: 2481E471644209FBDF29AF64DC46FAE37A8BF15340F008024F918AA292EB7CD911C7E1

Function 007E3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007E3EF8
_wcslen.LIBCMT ref: 007E3F03
_wcslen.LIBCMT ref: 007E3F5A
_wcslen.LIBCMT ref: 007E3F98
GetDriveTypeW.KERNEL32(?), ref: 007E3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007E401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007E4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007E4087

Strings

closed, xrefs: 007E3F08, 007E3F2D, 007E3F46, 007E3F7E, 007E3F97
close cd wait, xrefs: 007E4072
type cdaudio alias cd wait, xrefs: 007E4001
set cd door , xrefs: 007E4028
close, xrefs: 007E3EFE, 007E3F18
open , xrefs: 007E3FE5
open, xrefs: 007E3F54, 007E3F59
wait, xrefs: 007E4044

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: f4d95bf821a9c257e0705ff0972520dc6fcbfc8e39a57ed7c1a2d8c4fef8b9e2
Instruction ID: 237aba4bdee1c45a734d0d8e735214e3ae92942b2b8dae3b53ddcb76d9d0a0ff
Opcode Fuzzy Hash: f4d95bf821a9c257e0705ff0972520dc6fcbfc8e39a57ed7c1a2d8c4fef8b9e2
Instruction Fuzzy Hash: EF71E3326042019FCB10EF29C88586AB7F4FF987A4F10892DF59997251EB38DE46CB91

Function 007D5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 007D5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007D5A40
SetWindowTextW.USER32(?,?), ref: 007D5A57
GetDlgItem.USER32(?,000003EA), ref: 007D5A6C
SetWindowTextW.USER32(00000000,?), ref: 007D5A72
GetDlgItem.USER32(?,000003E9), ref: 007D5A82
SetWindowTextW.USER32(00000000,?), ref: 007D5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007D5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007D5AC3
GetWindowRect.USER32(?,?), ref: 007D5ACC
_wcslen.LIBCMT ref: 007D5B33
SetWindowTextW.USER32(?,?), ref: 007D5B6F
GetDesktopWindow.USER32 ref: 007D5B75
GetWindowRect.USER32(00000000), ref: 007D5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 007D5BD3
GetClientRect.USER32(?,?), ref: 007D5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 007D5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007D5C2F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: c7c8c065dbc99b128ef91fbc2b9679ea2483314c2c84ed6c3e7846a90f53fc40
Instruction ID: 1d1713aa2991e3c29302ff7c85f70c03709fef76ccf2cb521a168419a7041bdf
Opcode Fuzzy Hash: c7c8c065dbc99b128ef91fbc2b9679ea2483314c2c84ed6c3e7846a90f53fc40
Instruction Fuzzy Hash: D0716F71900B05EFDB20DFA8CE85A6EBBF5FF48704F10461AE552A26A0D779E944CB50

Function 007EFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 007EFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 007EFE32
LoadCursorW.USER32(00000000,00007F00), ref: 007EFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 007EFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 007EFE53
LoadCursorW.USER32(00000000,00007F01), ref: 007EFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 007EFE69
LoadCursorW.USER32(00000000,00007F88), ref: 007EFE74
LoadCursorW.USER32(00000000,00007F80), ref: 007EFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 007EFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 007EFE95
LoadCursorW.USER32(00000000,00007F85), ref: 007EFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 007EFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 007EFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 007EFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 007EFECC
GetCursorInfo.USER32(?), ref: 007EFEDC
GetLastError.KERNEL32 ref: 007EFF1E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d609facd195119bba317d9e3e507b93e2bc1c455761e4b6293affe9219430db8
Instruction ID: 2b86fe2c53827a32d778f15a4a12eb6644c9cf336f14914cb82588a69dd0368a
Opcode Fuzzy Hash: d609facd195119bba317d9e3e507b93e2bc1c455761e4b6293affe9219430db8
Instruction Fuzzy Hash: E14154B0D05359AADB109FBA8C89C5EBFE8FF08354B50852AF11DE7681DB789901CE91

Function 007900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007900C6

Part of subcall function 007900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0084070C,00000FA0,FA61939F,?,?,?,?,007B23B3,000000FF), ref: 0079011C
Part of subcall function 007900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007B23B3,000000FF), ref: 00790127
Part of subcall function 007900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007B23B3,000000FF), ref: 00790138
Part of subcall function 007900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0079014E
Part of subcall function 007900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0079015C
Part of subcall function 007900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0079016A
Part of subcall function 007900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00790195
Part of subcall function 007900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007901A0

___scrt_fastfail.LIBCMT ref: 007900E7

Part of subcall function 007900A3: __onexit.LIBCMT ref: 007900A9

Strings

InitializeConditionVariable, xrefs: 00790148
SleepConditionVariableCS, xrefs: 00790154
kernel32.dll, xrefs: 00790133
WakeAllConditionVariable, xrefs: 00790162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00790122

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a7f266b29d7c00da593ff616bdeaa2aac62e805ae9875c2a28cb25b2e72d2112
Instruction ID: d0285a3fe0daee7ce4ca46afb4bc6c188f7931314454ce82a253c043b04c9fa8
Opcode Fuzzy Hash: a7f266b29d7c00da593ff616bdeaa2aac62e805ae9875c2a28cb25b2e72d2112
Instruction Fuzzy Hash: 7921D732695714AFEB606FA4BC09B6E37D8FB05B51F00422AF901E37D2DB7C98008AD1

Function 007D30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007D318D
_wcslen.LIBCMT ref: 007D31F8

Strings

TEXT, xrefs: 007D347C
CLASSNN, xrefs: 007D31F3, 007D3204
CLASS, xrefs: 007D3188, 007D31A5
NAME, xrefs: 007D3335, 007D3346
REGEXPCLASS, xrefs: 007D3255, 007D3266
INSTANCE, xrefs: 007D3453

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: f270be257d42022a9c9011a589b04f05c82e6cf98a21025433b37e2c2cd09a31
Instruction ID: f7a407bfde89a4bb3273f57577267a572819ba8674e8e71df416705c5ba2de7a
Opcode Fuzzy Hash: f270be257d42022a9c9011a589b04f05c82e6cf98a21025433b37e2c2cd09a31
Instruction Fuzzy Hash: FAE1D232A00516EACF149FB8C855AEDFBB0BF54750F14821AE556F7340DB38AE4587A1

Function 007E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0080CC08), ref: 007E4527
_wcslen.LIBCMT ref: 007E453B
_wcslen.LIBCMT ref: 007E4599
_wcslen.LIBCMT ref: 007E45F4
_wcslen.LIBCMT ref: 007E463F
_wcslen.LIBCMT ref: 007E46A7

Part of subcall function 0078F9F2: _wcslen.LIBCMT ref: 0078F9FD

GetDriveTypeW.KERNEL32(?,00836BF0,00000061), ref: 007E4743

Strings

network, xrefs: 007E469D, 007E46A2
unknown, xrefs: 007E4708
cdrom, xrefs: 007E458F, 007E4594
fixed, xrefs: 007E4635, 007E463A
removable, xrefs: 007E45EA, 007E45EF
all, xrefs: 007E4531, 007E4536
ramdisk, xrefs: 007E46F1

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 9bd89e677aa26ee8bfa3f908eb9da445b79f507721883a2ab04f462f8f52f68e
Instruction ID: ff902caf70590d694fa0d43c680045aff4057827a11a881c62c9203462ddc284
Opcode Fuzzy Hash: 9bd89e677aa26ee8bfa3f908eb9da445b79f507721883a2ab04f462f8f52f68e
Instruction Fuzzy Hash: E6B125316093429FC710DF29C894A6EB7E5FFA9760F10891DF19AC7291E738D844CBA2

Function 007F3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0080CC08), ref: 007F40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007F40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0080CC08), ref: 007F40F2
FreeLibrary.KERNEL32(00000000,?,0080CC08), ref: 007F413E
StringFromGUID2.OLE32(?,?,00000028,?,0080CC08), ref: 007F41A8
SysFreeString.OLEAUT32(00000009), ref: 007F4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007F42C8
SysFreeString.OLEAUT32(?), ref: 007F42F2

Strings

GetModuleHandleExW, xrefs: 007F40C7
kernel32.dll, xrefs: 007F40B6

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: c204594e4fd51f1e1867fcd9f65179bc1c46476124abd29513634e2e73aa7bc8
Instruction ID: fd36aa0395061aa0bd3804ff0a58bab91a2800303d595ebb71705baec56bd4a1
Opcode Fuzzy Hash: c204594e4fd51f1e1867fcd9f65179bc1c46476124abd29513634e2e73aa7bc8
Instruction Fuzzy Hash: B8120975A00119EFDB14DF94C888EBEB7B5FF45318F248098EA05AB251DB35ED46CBA0

Function 0077326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00841990), ref: 007B2F8D
GetMenuItemCount.USER32(00841990), ref: 007B303D
GetCursorPos.USER32(?), ref: 007B3081
SetForegroundWindow.USER32(00000000), ref: 007B308A
TrackPopupMenuEx.USER32(00841990,00000000,?,00000000,00000000,00000000), ref: 007B309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007B30A9

Strings

0, xrefs: 0077327D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 14b08c1cf7b2da2d4767123d8d2d9d77b126641e19f2dcb5ead91f30a6f36d7a
Instruction ID: 97fbe6a6df4f3454d6b647ae71e84ca0ddf21424e6b90f4e3704d46bfe7d6578
Opcode Fuzzy Hash: 14b08c1cf7b2da2d4767123d8d2d9d77b126641e19f2dcb5ead91f30a6f36d7a
Instruction Fuzzy Hash: 94714B70641205BFEB219F24CC89FEABF65FF05364F204206F5286A1E2C7B9AD50DB50

Function 00806CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00806DEB

Part of subcall function 00776B57: _wcslen.LIBCMT ref: 00776B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00806E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00806E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00806E94
DestroyWindow.USER32(?), ref: 00806EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00770000,00000000), ref: 00806EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00806EFD
GetDesktopWindow.USER32 ref: 00806F16
GetWindowRect.USER32(00000000), ref: 00806F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00806F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00806F4D

Part of subcall function 00789944: GetWindowLongW.USER32(?,000000EB), ref: 00789952

Strings

0, xrefs: 00806D98
tooltips_class32, xrefs: 00806E58, 00806EDD

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: ce97bec37870c9751959afe4ddad5326085c58fbb89594ab62eaf769b235109e
Instruction ID: dc40ead2e1f292c2c4bf624e6e26b4ccbf1c45d0daab204b0ccb0db3205cb0f4
Opcode Fuzzy Hash: ce97bec37870c9751959afe4ddad5326085c58fbb89594ab62eaf769b235109e
Instruction Fuzzy Hash: 6E719A74100341AFDBA1CF18DC48EAABBE9FB89304F54051DF999C72A1DB31E966CB11

Function 0080911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00789BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00789BB2

DragQueryPoint.SHELL32(?,?), ref: 00809147

Part of subcall function 00807674: ClientToScreen.USER32(?,?), ref: 0080769A
Part of subcall function 00807674: GetWindowRect.USER32(?,?), ref: 00807710
Part of subcall function 00807674: PtInRect.USER32(?,?,00808B89), ref: 00807720

SendMessageW.USER32(?,000000B0,?,?), ref: 008091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00809225
SendMessageW.USER32(?,000000B0,?,?), ref: 0080923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00809255
SendMessageW.USER32(?,000000B1,?,?), ref: 00809277
DragFinish.SHELL32(?), ref: 0080927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00809371

Strings

@GUI_DRAGFILE, xrefs: 00809320
@GUI_DRAGID, xrefs: 008092E9
@GUI_DROPID, xrefs: 0080929E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: cc71ba3a3f485e5ef0dee28ba614f25a6cfaf74cd9d021134900ad473dd0d836
Instruction ID: 9730cf2891603fbe019b7b00d842c342cee2b55175323c66b52e81e09deabe52
Opcode Fuzzy Hash: cc71ba3a3f485e5ef0dee28ba614f25a6cfaf74cd9d021134900ad473dd0d836
Instruction Fuzzy Hash: 63616C71108301AFDB41DF64DC89DAFBBE8FF99350F004A1DF6A5922A1DB309A49CB52

Function 007EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007EC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007EC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007EC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007EC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 007EC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007EC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007EC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007EC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007EC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007EC5F0
InternetCloseHandle.WININET(00000000), ref: 007EC5FB

Strings

, xrefs: 007EC575

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 1ca59a0f1065525fd9d3d86f85d2a93ef696539dee004e00e06499a2e79e2ef9
Instruction ID: 422cc7f16f29991847b5705e0daea81e97baf6295134a97c8bdc7b1b1671ff5d
Opcode Fuzzy Hash: 1ca59a0f1065525fd9d3d86f85d2a93ef696539dee004e00e06499a2e79e2ef9
Instruction Fuzzy Hash: 6B518DB4501388BFEB229F66C988AAB7BFCFF08344F10451AF945D6250DB38E915DB60

Function 0080856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00808592
GetFileSize.KERNEL32(00000000,00000000), ref: 008085A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 008085AD
CloseHandle.KERNEL32(00000000), ref: 008085BA
GlobalLock.KERNEL32(00000000), ref: 008085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008085D7
GlobalUnlock.KERNEL32(00000000), ref: 008085E0
CloseHandle.KERNEL32(00000000), ref: 008085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008085F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0080FC38,?), ref: 00808611
GlobalFree.KERNEL32(00000000), ref: 00808621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00808641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00808671
DeleteObject.GDI32(00000000), ref: 00808699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008086AF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e7f2402374a674bede1e06dcde5665163932a67ddd37387443d9dd521585c62a
Instruction ID: f009ef9cf9aa0ee5bb30e3d4017dea3ff1e4f5c908bb6d2baafbd2afac576fa9
Opcode Fuzzy Hash: e7f2402374a674bede1e06dcde5665163932a67ddd37387443d9dd521585c62a
Instruction Fuzzy Hash: 37414A71600208EFDB519FA5CC88EAE7BB8FF99711F108158F91AE72A0DB319D41CB20

Function 007E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 007E1502
VariantCopy.OLEAUT32(?,?), ref: 007E150B
VariantClear.OLEAUT32(?), ref: 007E1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007E15FB
VarR8FromDec.OLEAUT32(?,?), ref: 007E1657
VariantInit.OLEAUT32(?), ref: 007E1708
SysFreeString.OLEAUT32(?), ref: 007E178C
VariantClear.OLEAUT32(?), ref: 007E17D8
VariantClear.OLEAUT32(?), ref: 007E17E7
VariantInit.OLEAUT32(00000000), ref: 007E1823

Strings

Default, xrefs: 007E16AF
%4d%02d%02d%02d%02d%02d, xrefs: 007E1625

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: f3b5e8689a0455a66633e18297e473a40b1f79be5ac212ab88b3fcf42dec4262
Instruction ID: 190b000ca568982199915e3269def8b253c66a1c272a54495595173c31b8294f
Opcode Fuzzy Hash: f3b5e8689a0455a66633e18297e473a40b1f79be5ac212ab88b3fcf42dec4262
Instruction Fuzzy Hash: 28D11571A01145EBDB00AF66D88ABBDB7B5BF49700F50815AF806AB184DB3CEC60DB61

Function 007FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007FB6AE,?,?), ref: 007FC9B5
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FC9F1
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FCA68
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007FB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007FB772
RegDeleteValueW.ADVAPI32(?,?), ref: 007FB80A
RegCloseKey.ADVAPI32(?), ref: 007FB87E
RegCloseKey.ADVAPI32(?), ref: 007FB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 007FB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007FB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 007FB922
FreeLibrary.KERNEL32(00000000), ref: 007FB983
RegCloseKey.ADVAPI32(00000000), ref: 007FB994

Strings

RegDeleteKeyExW, xrefs: 007FB8FE
advapi32.dll, xrefs: 007FB8ED

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: afe187ce53e08517a110c74de2e78c223d29cf1a0a41ba46cd882bb7d91087ca
Instruction ID: cd081a539cdc0e133c9cc34f08412d920dc20d4e9ec5ec5be7651c3c40be45a3
Opcode Fuzzy Hash: afe187ce53e08517a110c74de2e78c223d29cf1a0a41ba46cd882bb7d91087ca
Instruction Fuzzy Hash: D0C17B31208205EFD714DF24C499F2ABBE5BF84358F14855CE69A8B3A2CB79EC45CB91

Function 007F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007F25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007F25E8
CreateCompatibleDC.GDI32(?), ref: 007F25F4
SelectObject.GDI32(00000000,?), ref: 007F2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 007F266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007F26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007F26D0
SelectObject.GDI32(?,?), ref: 007F26D8
DeleteObject.GDI32(?), ref: 007F26E1
DeleteDC.GDI32(?), ref: 007F26E8
ReleaseDC.USER32(00000000,?), ref: 007F26F3

Strings

(, xrefs: 007F268D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 03582964579a884bb2e15f91dd864b6c79de407d349e9ddf6b4b0256a5f4c9f4
Instruction ID: 376c2423c439bd0ce67cbf503bf8a00bb943eae204886a092194909124b8bbff
Opcode Fuzzy Hash: 03582964579a884bb2e15f91dd864b6c79de407d349e9ddf6b4b0256a5f4c9f4
Instruction Fuzzy Hash: 6261D275D00219EFCF14CFA4D884AAEBBB5FF48310F208529EA55A7351E774A951CF60

Function 007ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 007ADAA1

Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD659
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD66B
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD67D
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD68F
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD6A1
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD6B3
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD6C5
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD6D7
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD6E9
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD6FB
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD70D
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD71F
Part of subcall function 007AD63C: _free.LIBCMT ref: 007AD731

_free.LIBCMT ref: 007ADA96

Part of subcall function 007A29C8: HeapFree.KERNEL32(00000000,00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000), ref: 007A29DE
Part of subcall function 007A29C8: GetLastError.KERNEL32(00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000,00000000), ref: 007A29F0

_free.LIBCMT ref: 007ADAB8
_free.LIBCMT ref: 007ADACD
_free.LIBCMT ref: 007ADAD8
_free.LIBCMT ref: 007ADAFA
_free.LIBCMT ref: 007ADB0D
_free.LIBCMT ref: 007ADB1B
_free.LIBCMT ref: 007ADB26
_free.LIBCMT ref: 007ADB5E
_free.LIBCMT ref: 007ADB65
_free.LIBCMT ref: 007ADB82
_free.LIBCMT ref: 007ADB9A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 93eff5da3b64ef0b8986d2c5b88b9ea045bd7f7dc51739eb9e51b10bdbbdf609
Instruction ID: ac293dbc983880a2aa39b06f2c50e558c2f13938ea6b165d68366d8d40f25bd4
Opcode Fuzzy Hash: 93eff5da3b64ef0b8986d2c5b88b9ea045bd7f7dc51739eb9e51b10bdbbdf609
Instruction Fuzzy Hash: 77318D71604304DFEB31AA78E849B5B77E8FF82710F108619E04AE75A2DF38BC408B21

Function 007D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007D369C
_wcslen.LIBCMT ref: 007D36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007D3797
GetClassNameW.USER32(?,?,00000400), ref: 007D380C
GetDlgCtrlID.USER32(?), ref: 007D385D
GetWindowRect.USER32(?,?), ref: 007D3882
GetParent.USER32(?), ref: 007D38A0
ScreenToClient.USER32(00000000), ref: 007D38A7
GetClassNameW.USER32(?,?,00000100), ref: 007D3921
GetWindowTextW.USER32(?,?,00000400), ref: 007D395D

Strings

%s%u, xrefs: 007D3734

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: f1704dc72d6dfaa9f134fff0634f5f13ea3224cecdb4e694c1659d014890a52a
Instruction ID: a9d77e4d542d9964fc6eb0f16447f50d570e799ec5952ad9850fb053fef87004
Opcode Fuzzy Hash: f1704dc72d6dfaa9f134fff0634f5f13ea3224cecdb4e694c1659d014890a52a
Instruction Fuzzy Hash: AC91B571204606EFD715DF24C895FAAF7B8FF44354F00462AF999D2290DB38EA45CBA2

Function 007D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 007D4994
GetWindowTextW.USER32(?,?,00000400), ref: 007D49DA
_wcslen.LIBCMT ref: 007D49EB
CharUpperBuffW.USER32(?,00000000), ref: 007D49F7
_wcsstr.LIBVCRUNTIME ref: 007D4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 007D4A64
GetWindowTextW.USER32(?,?,00000400), ref: 007D4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 007D4AE6
GetClassNameW.USER32(?,?,00000400), ref: 007D4B20
GetWindowRect.USER32(?,?), ref: 007D4B8B

Strings

ThumbnailClass, xrefs: 007D4A6F, 007D4AF1

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 62ede99ef3a46b73bb397d704cf81ae4e7a12b689dfbbda98553c1e183e7b4b7
Instruction ID: 269083cf78f837d8415c93d4d604ecd98c6352ebfe8ab8c371acd154bd3c61ee
Opcode Fuzzy Hash: 62ede99ef3a46b73bb397d704cf81ae4e7a12b689dfbbda98553c1e183e7b4b7
Instruction Fuzzy Hash: 4491CB710042059FDB04CF14C989FAA77E8FF94354F04856BFD899A296EB38ED45CBA1

Function 007DBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00841990,000000FF,00000000,00000030), ref: 007DBFAC
SetMenuItemInfoW.USER32(00841990,00000004,00000000,00000030), ref: 007DBFE1
Sleep.KERNEL32(000001F4), ref: 007DBFF3
GetMenuItemCount.USER32(?), ref: 007DC039
GetMenuItemID.USER32(?,00000000), ref: 007DC056
GetMenuItemID.USER32(?,-00000001), ref: 007DC082
GetMenuItemID.USER32(?,?), ref: 007DC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007DC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007DC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007DC145

Strings

0, xrefs: 007DBF3D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: d6e1c6192ba0200bce235bc1cc7d261f9b751b27b8e38d41c40a4ed6f969d99f
Instruction ID: f02b8e588d1266f5fa03c4522f93260658a2f4a91b7ad503893e8c1a58bb5eb0
Opcode Fuzzy Hash: d6e1c6192ba0200bce235bc1cc7d261f9b751b27b8e38d41c40a4ed6f969d99f
Instruction Fuzzy Hash: F06190B090025AEFDF22CF68DD88AEEBBB8FB05344F104156E911A3391D739AD45CB60

Function 007FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007FCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 007FCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007FCD48

Part of subcall function 007FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 007FCCAA
Part of subcall function 007FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 007FCCBD
Part of subcall function 007FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007FCCCF
Part of subcall function 007FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007FCD05
Part of subcall function 007FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007FCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 007FCCF3

Strings

RegDeleteKeyExW, xrefs: 007FCCC9
advapi32.dll, xrefs: 007FCCB8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 9a7a0fe4c64274749280e0ce867a2ce8dc80e01ab48e8f8b4bc6721cc0fbb5ac
Instruction ID: 4e909b6df606c4cb770612ba03bd49ba3ec972e4cf72d60d53847a1776bcb962
Opcode Fuzzy Hash: 9a7a0fe4c64274749280e0ce867a2ce8dc80e01ab48e8f8b4bc6721cc0fbb5ac
Instruction Fuzzy Hash: A2316F71A0112DBBDB618F54DD88EFFBB7CEF45750F000165BA06E6240DB389A45EAB0

Function 007E3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007E3D40
_wcslen.LIBCMT ref: 007E3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 007E3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007E3DBE
RemoveDirectoryW.KERNEL32(?), ref: 007E3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007E3E55
CloseHandle.KERNEL32(00000000), ref: 007E3E60
CloseHandle.KERNEL32(00000000), ref: 007E3E6B

Strings

\??\%s, xrefs: 007E3D5B
:, xrefs: 007E3D82
\, xrefs: 007E3D77

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: ebb59e1622235b37924ef4c277b9a63022213ae134ee846df76e92c65a210574
Instruction ID: 3ab0f72292340fe3fe3d55a2d8b868110c8b59be300dcbd2bd8c0b2c0f22b742
Opcode Fuzzy Hash: ebb59e1622235b37924ef4c277b9a63022213ae134ee846df76e92c65a210574
Instruction Fuzzy Hash: 2631AF72A00249ABDB21DFA1DC49FEB37BCFF88700F5041A5F519D6160EB7897448B64

Function 007DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007DE6B4

Part of subcall function 0078E551: timeGetTime.WINMM(?,?,007DE6D4), ref: 0078E555

Sleep.KERNEL32(0000000A), ref: 007DE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 007DE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007DE727
SetActiveWindow.USER32 ref: 007DE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007DE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 007DE773
Sleep.KERNEL32(000000FA), ref: 007DE77E
IsWindow.USER32 ref: 007DE78A
EndDialog.USER32(00000000), ref: 007DE79B

Strings

BUTTON, xrefs: 007DE719

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 482134a446abd9b83a1c912cb95235915f4fc6ddb6a9668f8347dca3095e34ca
Instruction ID: c1cb124f92c73b5c7b4e172691b1736bda87216f8115b3159d2189886059819f
Opcode Fuzzy Hash: 482134a446abd9b83a1c912cb95235915f4fc6ddb6a9668f8347dca3095e34ca
Instruction Fuzzy Hash: 4321A874204204AFEB51AFA0ECCDA363B79F765358F504526F415853B1DB79AC00CB65

Function 007DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007DEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007DEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007DEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007DEAA7

Strings

close PlayMe, xrefs: 007DEA6E, 007DEA9B
play PlayMe, xrefs: 007DEAA2
alias PlayMe, xrefs: 007DEA36
status PlayMe mode, xrefs: 007DEA58
play PlayMe wait, xrefs: 007DEA91
open , xrefs: 007DEA0C

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b137e6c84b1f23986a404963c4d466166c89ebe1a71652fe73514e7c13efed40
Instruction ID: e776966f3e5536350e8da9d407de714854cf176a00417d0c08ba334150477d96
Opcode Fuzzy Hash: b137e6c84b1f23986a404963c4d466166c89ebe1a71652fe73514e7c13efed40
Instruction Fuzzy Hash: 6F119131A90219B9DB21B7A5DD4AEFF6A7CFBD2B40F00842A7825E61D0EE781915C5F0

Function 007D9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007DA012
SetKeyboardState.USER32(?), ref: 007DA07D
GetAsyncKeyState.USER32(000000A0), ref: 007DA09D
GetKeyState.USER32(000000A0), ref: 007DA0B4
GetAsyncKeyState.USER32(000000A1), ref: 007DA0E3
GetKeyState.USER32(000000A1), ref: 007DA0F4
GetAsyncKeyState.USER32(00000011), ref: 007DA120
GetKeyState.USER32(00000011), ref: 007DA12E
GetAsyncKeyState.USER32(00000012), ref: 007DA157
GetKeyState.USER32(00000012), ref: 007DA165
GetAsyncKeyState.USER32(0000005B), ref: 007DA18E
GetKeyState.USER32(0000005B), ref: 007DA19C

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8e93fa20356b53e96e6eccec90230cfc92e4e0b93821a076eb5b2af6534ce1df
Instruction ID: a8b169a7069683dafa9d5a2b35e7bc6788b6a5444540840165c6e9fec156d501
Opcode Fuzzy Hash: 8e93fa20356b53e96e6eccec90230cfc92e4e0b93821a076eb5b2af6534ce1df
Instruction Fuzzy Hash: 9C51CB2190478879FB35EB7088557EABFB5AF12340F08459BD5C2573C2EA5CAA4CC763

Function 007D5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 007D5CE2
GetWindowRect.USER32(00000000,?), ref: 007D5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 007D5D59
GetDlgItem.USER32(?,00000002), ref: 007D5D69
GetWindowRect.USER32(00000000,?), ref: 007D5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 007D5DCF
GetDlgItem.USER32(?,000003E9), ref: 007D5DDD
GetWindowRect.USER32(00000000,?), ref: 007D5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 007D5E31
GetDlgItem.USER32(?,000003EA), ref: 007D5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007D5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 007D5E67

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 4603cb51c4615390d778bdd6ae1d0f1eacf7076cca79b57a5d6fcc6d6974b78b
Instruction ID: cb2a4c621c51d0a2b86cef6fe5ebeaca7346385bf18b86fc3820ab4b606bb901
Opcode Fuzzy Hash: 4603cb51c4615390d778bdd6ae1d0f1eacf7076cca79b57a5d6fcc6d6974b78b
Instruction Fuzzy Hash: 20510E71B00609AFDF18DF68DD89AAEBBB6FB58301F148229F515E7290D7749E04CB60

Function 00788BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00788F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00788BE8,?,00000000,?,?,?,?,00788BBA,00000000,?), ref: 00788FC5

DestroyWindow.USER32(?), ref: 00788C81
KillTimer.USER32(00000000,?,?,?,?,00788BBA,00000000,?), ref: 00788D1B
DestroyAcceleratorTable.USER32(00000000), ref: 007C6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00788BBA,00000000,?), ref: 007C69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00788BBA,00000000,?), ref: 007C69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00788BBA,00000000), ref: 007C69D4
DeleteObject.GDI32(00000000), ref: 007C69E6

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 674dc178d8b1f8f4cc8bd7ecad4a0963ee3331a5387fd9b11cedb95efc42b3a6
Instruction ID: a8ec9afbd607045c38f34694dad961b4567d23894d164810028f22096384c67e
Opcode Fuzzy Hash: 674dc178d8b1f8f4cc8bd7ecad4a0963ee3331a5387fd9b11cedb95efc42b3a6
Instruction Fuzzy Hash: EE61A035141600DFDB61AF14D98CB29BBF1FB45312F94865CE042976A4CB39ADC0CF62

Function 00789838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00789944: GetWindowLongW.USER32(?,000000EB), ref: 00789952

GetSysColor.USER32(0000000F), ref: 00789862

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0f2f53ccb2aa90d165ab1c886d9d8a972be3180311e76ea4a3cbb8f309bec8c2
Instruction ID: d3a0f6f26c089fc3480ca70186293d99cbd657bb0e2d1e515a00e6acbeede648
Opcode Fuzzy Hash: 0f2f53ccb2aa90d165ab1c886d9d8a972be3180311e76ea4a3cbb8f309bec8c2
Instruction Fuzzy Hash: E441C331184740AFDB246F389C88BB93BA5FB46330F184719FAA2871E1D7399C42DB10

Function 007A8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.y, xrefs: 007A903A, 007A8FD0, 007A8FF2

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID: .y
API String ID: 0-2155845462
Opcode ID: c745de89e85114623adbef3db85eebea6767397376a4de4dba41c35147959639
Instruction ID: e776413c48aa4e4d2570dbaaa9a3b3c11362f526d636b7a53da1f1bf88591042
Opcode Fuzzy Hash: c745de89e85114623adbef3db85eebea6767397376a4de4dba41c35147959639
Instruction Fuzzy Hash: A9C1E77590424ADFCF51DFA8D845BAEBBB0BF8B310F144299F614A7392C7389941CB61

Function 007D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,007BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 007D9717
LoadStringW.USER32(00000000,?,007BF7F8,00000001), ref: 007D9720

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,007BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 007D9742
LoadStringW.USER32(00000000,?,007BF7F8,00000001), ref: 007D9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 007D9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007D984A
Error: , xrefs: 007D981D
^ ERROR, xrefs: 007D97FB
Line %d:, xrefs: 007D97A0
Line %d (File "%s"):, xrefs: 007D978F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: ad2df7177e402d2774b8c7ae4f746240134fff91593112ebd553b102ecfd97bd
Instruction ID: 5faf33e88d0f5f5a5281b839d75cf145de27ba977088d3d09cd88b6ef0b107bf
Opcode Fuzzy Hash: ad2df7177e402d2774b8c7ae4f746240134fff91593112ebd553b102ecfd97bd
Instruction Fuzzy Hash: D4412E72900209EACF14EBE0CD5ADEEB778EF55780F508125F60972192EA396F48DB61

Function 007D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00776B57: _wcslen.LIBCMT ref: 00776B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007D07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007D07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007D07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007D0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 007D082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007D0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007D083C

Strings

\IPC$, xrefs: 007D0784
SOFTWARE\Classes\, xrefs: 007D070E
\CLSID, xrefs: 007D0724

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 7d4271c882c04a7d2c95bfee4211f9adac21ab8b699d17889d1889b5c810e9f8
Instruction ID: 3c9b776328673bd4760f5b9322beacf0b7973de5127a6fcab8dd5bccb98530ab
Opcode Fuzzy Hash: 7d4271c882c04a7d2c95bfee4211f9adac21ab8b699d17889d1889b5c810e9f8
Instruction Fuzzy Hash: E141F772810629EBDF15EFA4DC89DEDB778FF44390F148129E915A72A1EB385E04CB90

Function 00803F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0080403B
CreateCompatibleDC.GDI32(00000000), ref: 00804042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00804055
SelectObject.GDI32(00000000,00000000), ref: 0080405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00804068
DeleteDC.GDI32(00000000), ref: 00804072
GetWindowLongW.USER32(?,000000EC), ref: 0080407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00804092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0080409E

Strings

static, xrefs: 00803FD3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 863184fcfa8f7e9c02f3de2906e85fd89ebdef23a8e4d8b486f3d503e0590271
Instruction ID: 699ff30f327480fb6c812c4c7eb79684fdedc68fc61c9436c0ba0305ce7bd365
Opcode Fuzzy Hash: 863184fcfa8f7e9c02f3de2906e85fd89ebdef23a8e4d8b486f3d503e0590271
Instruction Fuzzy Hash: 58315772141219ABDFA29FA8CC08FDA3B68FF09320F100310FA69E61E0CB75D861DB50

Function 007F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007F3C5C
CoInitialize.OLE32(00000000), ref: 007F3C8A
CoUninitialize.OLE32 ref: 007F3C94
_wcslen.LIBCMT ref: 007F3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 007F3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 007F3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 007F3F0E
CoGetObject.OLE32(?,00000000,0080FB98,?), ref: 007F3F2D
SetErrorMode.KERNEL32(00000000), ref: 007F3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007F3FC4
VariantClear.OLEAUT32(?), ref: 007F3FD8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 1459192cd7989f83e04888a356c82e1549b2e8c3ef106688682456edf6d02731
Instruction ID: a3ee6914274b69bdf9191159f5b4fb2d5c8b6f8a28d564dcd065e9fcc2a847a5
Opcode Fuzzy Hash: 1459192cd7989f83e04888a356c82e1549b2e8c3ef106688682456edf6d02731
Instruction Fuzzy Hash: ABC124716082099FD700DF68C88492BB7E9FF89758F10491DFA8A9B351D735EE05CB52

Function 007E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007E7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007E7B8F
SHGetDesktopFolder.SHELL32(?), ref: 007E7BA3
CoCreateInstance.OLE32(0080FD08,00000000,00000001,00836E6C,?), ref: 007E7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007E7C74
CoTaskMemFree.OLE32(?,?), ref: 007E7CCC
SHBrowseForFolderW.SHELL32(?), ref: 007E7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007E7D7A
CoTaskMemFree.OLE32(00000000), ref: 007E7D81
CoTaskMemFree.OLE32(00000000), ref: 007E7DD6
CoUninitialize.OLE32 ref: 007E7DDC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 81530f2a5f34ab38aea665eb6b90013d5a5ace06517619adb73595da9658eb22
Instruction ID: d2730d390828ab9f8f56b1b8da22083b9aab0551c37677c73262c35b6f45b984
Opcode Fuzzy Hash: 81530f2a5f34ab38aea665eb6b90013d5a5ace06517619adb73595da9658eb22
Instruction Fuzzy Hash: 66C13975A05149EFCB14DFA5C888DAEBBF9FF48304B1485A8E819DB261D734EE41CB90

Function 0080541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00805504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00805515
CharNextW.USER32(00000158), ref: 00805544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00805585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0080559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008055AC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 6537b1af956088be8250d961039c5736c101930fedc05278ae232fee722a524a
Instruction ID: a963c41caa23c725771cd6861fd010ad6a41d3da77b8cc4bb2443f741462109b
Opcode Fuzzy Hash: 6537b1af956088be8250d961039c5736c101930fedc05278ae232fee722a524a
Instruction Fuzzy Hash: 86615875901A08AADFA09F54CC84AFF7BB9FB09724F104149F925EA2D0D7749A81DF70

Function 007CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007CFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 007CFB08
VariantInit.OLEAUT32(?), ref: 007CFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 007CFB3A
VariantCopy.OLEAUT32(?,?), ref: 007CFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 007CFBA1
VariantClear.OLEAUT32(?), ref: 007CFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 007CFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007CFBCC
VariantClear.OLEAUT32(?), ref: 007CFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007CFBE9

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6183aee371af5f57b40d506a68b691ae9c1fd4ebc03255f24e67fdd5c24f02c0
Instruction ID: 6cdf9c63916a4d0e6be1ce7ff3dafd3b52a5f54cac4fb8585ab8ed3fd502dd04
Opcode Fuzzy Hash: 6183aee371af5f57b40d506a68b691ae9c1fd4ebc03255f24e67fdd5c24f02c0
Instruction Fuzzy Hash: 49413E75A00219EFCB00DF64D858EAEBBBAFF48354F00816DE945A7261CB34AD45CBA0

Function 007D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007D9CA1
GetAsyncKeyState.USER32(000000A0), ref: 007D9D22
GetKeyState.USER32(000000A0), ref: 007D9D3D
GetAsyncKeyState.USER32(000000A1), ref: 007D9D57
GetKeyState.USER32(000000A1), ref: 007D9D6C
GetAsyncKeyState.USER32(00000011), ref: 007D9D84
GetKeyState.USER32(00000011), ref: 007D9D96
GetAsyncKeyState.USER32(00000012), ref: 007D9DAE
GetKeyState.USER32(00000012), ref: 007D9DC0
GetAsyncKeyState.USER32(0000005B), ref: 007D9DD8
GetKeyState.USER32(0000005B), ref: 007D9DEA

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 13d7789ba3a03e25e2f5a663f5237d78948fbf81a47ea200648b19a1343e7f6f
Instruction ID: bad5cd5e0a10dbfa93d92d6984130977548ff62d7aaec10aeb20e24807212a8d
Opcode Fuzzy Hash: 13d7789ba3a03e25e2f5a663f5237d78948fbf81a47ea200648b19a1343e7f6f
Instruction Fuzzy Hash: 574195346047C969FF719B7488043B5BEB17B21344F08815BDBCA567C2EBAD99C8C7A2

Function 007F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007F05BC
inet_addr.WSOCK32(?), ref: 007F061C
gethostbyname.WSOCK32(?), ref: 007F0628
IcmpCreateFile.IPHLPAPI ref: 007F0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007F06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007F06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007F07B9
WSACleanup.WSOCK32 ref: 007F07BF

Strings

Ping, xrefs: 007F0676

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 229801b79aec9731080717fabd5463023d730139e3563a2c7861867d5b9c6cd6
Instruction ID: b15d63156a54ab23f27ea9b7eec30bc1b5e5373d9580ddfed429e39e9fc7f293
Opcode Fuzzy Hash: 229801b79aec9731080717fabd5463023d730139e3563a2c7861867d5b9c6cd6
Instruction Fuzzy Hash: BD916A75608205DFDB20DF19C488F2ABBE0AF48318F1485A9E5698B7A2C778ED41CFD1

Function 007F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 007F8CF3

Part of subcall function 007D8E54: _wcslen.LIBCMT ref: 007D8E77

_wcslen.LIBCMT ref: 007F8D4E
_wcslen.LIBCMT ref: 007F8D9C
_wcslen.LIBCMT ref: 007F8DDC
_wcslen.LIBCMT ref: 007F8E6E

Strings

winapi, xrefs: 007F8D96, 007F8D9B
cdecl, xrefs: 007F8D48, 007F8D4D
stdcall, xrefs: 007F8DD6, 007F8DDB
none, xrefs: 007F8E65, 007F8E6A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d931ea5f0850bb428c6d45ce9a8783e43430131baef72303c81d943d721b8d8a
Instruction ID: 375b2f11c821edd7214fded223bc36433e444ea8a8a67550de019b9e8b2b4cfc
Opcode Fuzzy Hash: d931ea5f0850bb428c6d45ce9a8783e43430131baef72303c81d943d721b8d8a
Instruction Fuzzy Hash: F951C432A0051AEBCF54DF6CC9519BEB3A5BF64360B204229E625E73C4EB38DD40C791

Function 007F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 007F3774
CoUninitialize.OLE32 ref: 007F377F
CoCreateInstance.OLE32(?,00000000,00000017,0080FB78,?), ref: 007F37D9
IIDFromString.OLE32(?,?), ref: 007F384C
VariantInit.OLEAUT32(?), ref: 007F38E4
VariantClear.OLEAUT32(?), ref: 007F3936

Strings

NULL Pointer assignment, xrefs: 007F381E
Failed to create object, xrefs: 007F37E4, 007F389A
Invalid parameter, xrefs: 007F3865

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: dcd7b23c395964a2278ca72c58e01a7b5ed47ee3fcec80e9c1fab09a94868a21
Instruction ID: f8d774c7350bd9fb4f153d4a5bb3fc14d7e00be03021479b5796b73c4f07a97f
Opcode Fuzzy Hash: dcd7b23c395964a2278ca72c58e01a7b5ed47ee3fcec80e9c1fab09a94868a21
Instruction Fuzzy Hash: B3618CB0608305AFD710EF54C889B6AB7E4EF48754F104919FA959B391C778EE48CBA2

Function 007E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007E33CF

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007E33F0

Strings

Error: , xrefs: 007E34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 007E3504
Incorrect parameters to object property !, xrefs: 007E34AB
Line %d (File "%s"):, xrefs: 007E3443, 007E345C
"%s" (%d) : ==> %s:, xrefs: 007E3522
^ ERROR , xrefs: 007E349E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: af677b8cfc26eab5795fbb12ead2320eacff486a02abbe44b5ba860449bcf8d2
Instruction ID: 0b47d806c4e2f05f256eb8de886b8021714898a261f302cb350ff8164f3999b3
Opcode Fuzzy Hash: af677b8cfc26eab5795fbb12ead2320eacff486a02abbe44b5ba860449bcf8d2
Instruction Fuzzy Hash: DF519071901209EADF15EBA0CD4AEEEB778FF15380F108165F50972292EB392F58DB61

Function 007DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007DB5FC
_wcslen.LIBCMT ref: 007DB608
_wcslen.LIBCMT ref: 007DB64D
_wcslen.LIBCMT ref: 007DB68C
_wcslen.LIBCMT ref: 007DB6C7

Strings

KEYS, xrefs: 007DB647, 007DB64C
APPEND, xrefs: 007DB6C1, 007DB6C6
EXISTS, xrefs: 007DB686, 007DB68B
REMOVE, xrefs: 007DB602, 007DB607

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 0d0d904a4770c7558c36940b075f02a45a627260e4705a449d4998634c0b7071
Instruction ID: 467568797185f9e6842b777dd26177d5ef021c192a9c4528b5561b982b0f4378
Opcode Fuzzy Hash: 0d0d904a4770c7558c36940b075f02a45a627260e4705a449d4998634c0b7071
Instruction Fuzzy Hash: 4841C332A00026DBCB205F7D88905BE77B5BBA4BA4B26422BE521D7384F739DD81C790

Function 007E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007E53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007E5416
GetLastError.KERNEL32 ref: 007E5420
SetErrorMode.KERNEL32(00000000,READY), ref: 007E54A7

Strings

UNKNOWN, xrefs: 007E5444
NOTREADY, xrefs: 007E544B
READY, xrefs: 007E5460, 007E5468
READONLY, xrefs: 007E5452
INVALID, xrefs: 007E5459

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4ad0dd1dc6c5be477a6795aa1e16bfa806828687745c32314e4037406e2b0ed4
Instruction ID: 70fceca2fe51d809b1c4ac991f41dab3c9369ed3a1d416162f259c59929ec4a5
Opcode Fuzzy Hash: 4ad0dd1dc6c5be477a6795aa1e16bfa806828687745c32314e4037406e2b0ed4
Instruction Fuzzy Hash: B131D375A01188DFCB10DF69C488AA9BBF4FF4A309F148165E505CB292D779DD86CB90

Function 00803C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00803C79
SetMenu.USER32(?,00000000), ref: 00803C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00803D10
IsMenu.USER32(?), ref: 00803D24
CreatePopupMenu.USER32 ref: 00803D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00803D5B
DrawMenuBar.USER32 ref: 00803D63

Strings

F, xrefs: 00803D4E
0, xrefs: 00803C54

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 09a56a6d17faba12cab4c9fa3f01fcc8f561a63cda5d3d54e3c41f00319d750f
Instruction ID: 5645109170c59be40314a96dee861d88775fbaaff55bda139dbd0b2f55545fba
Opcode Fuzzy Hash: 09a56a6d17faba12cab4c9fa3f01fcc8f561a63cda5d3d54e3c41f00319d750f
Instruction Fuzzy Hash: 3B413A79A01209EFDF54CF64DC44AAA7BB9FF49350F140129ED46E73A0D770AA10DB94

Function 007D1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007D3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 007D1F64
GetDlgCtrlID.USER32 ref: 007D1F6F
GetParent.USER32 ref: 007D1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 007D1F8E
GetDlgCtrlID.USER32(?), ref: 007D1F97
GetParent.USER32(?), ref: 007D1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 007D1FAE

Strings

ListBox, xrefs: 007D1F21
ComboBox, xrefs: 007D1EEC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0d30347a88f999370fcada69181f4989d148ba16efd7473cc7a5652524e8434e
Instruction ID: 62833fc07cabff5979fb219ae1b5d823c85c97b01396a7cacf820f1dbd1995b8
Opcode Fuzzy Hash: 0d30347a88f999370fcada69181f4989d148ba16efd7473cc7a5652524e8434e
Instruction Fuzzy Hash: 9F21B070A01214BBCF15AFA0CC89DEEBBB8FF15350F40465AB965A7291DB3959089B60

Function 007D1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007D3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 007D2043
GetDlgCtrlID.USER32 ref: 007D204E
GetParent.USER32 ref: 007D206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 007D206D
GetDlgCtrlID.USER32(?), ref: 007D2076
GetParent.USER32(?), ref: 007D208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 007D208D

Strings

ListBox, xrefs: 007D2002
ComboBox, xrefs: 007D1FCD

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 748b2e2542a3efb0ad1fc2b5000c8ddd0b338fc207e165608a8b21cb6cb7c2de
Instruction ID: cbc1f0b2440ac9c306e43ec67e86cbec20e7e449103ce07df757a1fa281d3b1a
Opcode Fuzzy Hash: 748b2e2542a3efb0ad1fc2b5000c8ddd0b338fc207e165608a8b21cb6cb7c2de
Instruction Fuzzy Hash: AE21D471A01214BBCF10AFA0CC49EEEBBB8FF25340F104516B965A72A1DB794916DB70

Function 00803A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00803A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00803AA0
GetWindowLongW.USER32(?,000000F0), ref: 00803AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00803AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00803B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00803BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00803BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00803BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00803BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00803C13

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e03a3ad413b6f5de6145f02cf2fa3f7f0e003378c265838d5fffa46161b80649
Instruction ID: aa3a6c9a8720e31cc0c94ca82d252f189a56b9f38cfc44d369811b291f869add
Opcode Fuzzy Hash: e03a3ad413b6f5de6145f02cf2fa3f7f0e003378c265838d5fffa46161b80649
Instruction Fuzzy Hash: A3617975A00208AFDB21DFA8CC85EEE77B8FB09714F100199FA15E72E1D774AA81DB50

Function 007DB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007DB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,007DA1E1,?,00000001), ref: 007DB165
GetWindowThreadProcessId.USER32(00000000), ref: 007DB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007DA1E1,?,00000001), ref: 007DB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 007DB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,007DA1E1,?,00000001), ref: 007DB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007DA1E1,?,00000001), ref: 007DB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007DA1E1,?,00000001), ref: 007DB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,007DA1E1,?,00000001), ref: 007DB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,007DA1E1,?,00000001), ref: 007DB21D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d1ab89e809f9b4b77134075b6fb3283e7b889cb991430617985ff13434feca82
Instruction ID: c81e0c92b711df5b676c08ee625ff8d5287f9089bf355b0d5a61fa2d01ea8f37
Opcode Fuzzy Hash: d1ab89e809f9b4b77134075b6fb3283e7b889cb991430617985ff13434feca82
Instruction Fuzzy Hash: 3B31A576500604FFDB209F64EC84B6D7BB9BB52355F11420AFA11D6290E7B9AD40CF70

Function 007A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007A2C94

Part of subcall function 007A29C8: HeapFree.KERNEL32(00000000,00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000), ref: 007A29DE
Part of subcall function 007A29C8: GetLastError.KERNEL32(00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000,00000000), ref: 007A29F0

_free.LIBCMT ref: 007A2CA0
_free.LIBCMT ref: 007A2CAB
_free.LIBCMT ref: 007A2CB6
_free.LIBCMT ref: 007A2CC1
_free.LIBCMT ref: 007A2CCC
_free.LIBCMT ref: 007A2CD7
_free.LIBCMT ref: 007A2CE2
_free.LIBCMT ref: 007A2CED
_free.LIBCMT ref: 007A2CFB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f37af312a0c4c33c0a984dd5f416d4187307648b1b8c50e0cb029a96478916c7
Instruction ID: 3f28ff0e719fe3335d9dbf946b50c22f2984387d14e981bcf3ce050d9d1ce337
Opcode Fuzzy Hash: f37af312a0c4c33c0a984dd5f416d4187307648b1b8c50e0cb029a96478916c7
Instruction Fuzzy Hash: 5A11C676100108EFCB42EF58D846CDE3BA5FF46750F5146A0FA48AB232D635FA519FA1

Function 007E7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007E7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 007E7FC1
GetFileAttributesW.KERNEL32(?), ref: 007E7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 007E8005
SetCurrentDirectoryW.KERNEL32(?), ref: 007E8017
SetCurrentDirectoryW.KERNEL32(?), ref: 007E8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007E80B0

Strings

*.*, xrefs: 007E8066

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dd33a42ef83f0cb0c4380bdf7ef3718b2a2de4a651bbb238e62eb9318f7db53a
Instruction ID: ac4239f0f8d464ff0bb3b4c9ce477ca01a956e1d31f6b9832e29a571c7e45e71
Opcode Fuzzy Hash: dd33a42ef83f0cb0c4380bdf7ef3718b2a2de4a651bbb238e62eb9318f7db53a
Instruction Fuzzy Hash: 7B81A1725092819BCB28EF16C4459AEB3E8BF8C314F544C5EF889D7250EB39DD45CB52

Function 00775BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00775C7A

Part of subcall function 00775D0A: GetClientRect.USER32(?,?), ref: 00775D30
Part of subcall function 00775D0A: GetWindowRect.USER32(?,?), ref: 00775D71
Part of subcall function 00775D0A: ScreenToClient.USER32(?,?), ref: 00775D99

GetDC.USER32 ref: 007B46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007B4708
SelectObject.GDI32(00000000,00000000), ref: 007B4716
SelectObject.GDI32(00000000,00000000), ref: 007B472B
ReleaseDC.USER32(?,00000000), ref: 007B4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007B47C4

Strings

U, xrefs: 007B4693

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 633bb2f1b846a57bdf740db4a3c807b741912a619cb15578121083a245fb3202
Instruction ID: 3185df4f664c190fcf6e32ec0795424418ad54c25d88ecb7532e44e7e365e3bd
Opcode Fuzzy Hash: 633bb2f1b846a57bdf740db4a3c807b741912a619cb15578121083a245fb3202
Instruction Fuzzy Hash: 8B710030400205EFCF228F64C985BFA3BB5FF4A364F144269ED559A2A7CB398881DF60

Function 007E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007E35E4

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

LoadStringW.USER32(00842390,?,00000FFF,?), ref: 007E360A

Strings

Error: , xrefs: 007E36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 007E3724
^ ERROR, xrefs: 007E36C9
Line %d (File "%s"):, xrefs: 007E366B
"%s" (%d) : ==> %s:, xrefs: 007E3742

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 12f5d85cc1951b18a520ab320b2f9b1feeb9512209a78f1d9617955295796f65
Instruction ID: 59b5c0ad7650770c16e777236b4d609f79d4692c0545fb1c787962f719b9087b
Opcode Fuzzy Hash: 12f5d85cc1951b18a520ab320b2f9b1feeb9512209a78f1d9617955295796f65
Instruction Fuzzy Hash: 7B515E71801249FADF15EBA0CC4AEEDBB74FF15340F148125F619721A1EB391A98DFA1

Function 007EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007EC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007EC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007EC2CA
GetLastError.KERNEL32 ref: 007EC322
SetEvent.KERNEL32(?), ref: 007EC336
InternetCloseHandle.WININET(00000000), ref: 007EC341

Strings

, xrefs: 007EC2BB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: b09b5afa257903675db8771e36b65af2761366634d54097665e26de11dab028f
Instruction ID: 004abe6c9ee5c19ca0fa68d6e01143608f99c6c6cd0cfa2fa93399d652d52964
Opcode Fuzzy Hash: b09b5afa257903675db8771e36b65af2761366634d54097665e26de11dab028f
Instruction Fuzzy Hash: 9A31A0B5501284AFD7229F668C88AAB7BFCFB4D744F14851DF446D3200DB38DD068B61

Function 007D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007B3AAF,?,?,Bad directive syntax error,0080CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007D98BC
LoadStringW.USER32(00000000,?,007B3AAF,?), ref: 007D98C3

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007D9987

Strings

Error: , xrefs: 007D9955
Line %d:, xrefs: 007D9912
%s (%d) : ==> %s.: %s %s, xrefs: 007D98F1
Line %d (File "%s"):, xrefs: 007D992D
., xrefs: 007D996D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b582b13a0e89c68e9d96831fe604b3e25aa99ae48cbbfcdd4d1d250fd3818f46
Instruction ID: 211d4ba1715fdc60672dbb9594af5ff2b05e38de6ed9b96e80a0d1cb66d534f5
Opcode Fuzzy Hash: b582b13a0e89c68e9d96831fe604b3e25aa99ae48cbbfcdd4d1d250fd3818f46
Instruction Fuzzy Hash: 85218631C00219FBCF15AF90CC1AEEE7779FF14340F048466F619661A1EB79A628DB51

Function 007D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007D20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007D20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007D214D

Strings

smallicons, xrefs: 007D2115
list, xrefs: 007D212F
SHELLDLL_DefView, xrefs: 007D20CC
largeicons, xrefs: 007D20E1
details, xrefs: 007D20FB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: be58824bccadc660a1769114616573c43cd7fab8b1aae9c95a25bce1e7d8c89c
Instruction ID: 4be00bba7728416f374f67791df86eb225a1e38462eba671e026f4c5bbb371f1
Opcode Fuzzy Hash: be58824bccadc660a1769114616573c43cd7fab8b1aae9c95a25bce1e7d8c89c
Instruction Fuzzy Hash: D611E77668470AB9FA112624AC0ADA677ACEF24734F208217F704E52D2FA6E58035654

Function 007ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 007ACEB7
_free.LIBCMT ref: 007ACF22
_free.LIBCMT ref: 007ACF48
_free.LIBCMT ref: 007ACF71
_free.LIBCMT ref: 007ACFA9
_free.LIBCMT ref: 007ACFDA
_free.LIBCMT ref: 007AD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 007AD09C
_free.LIBCMT ref: 007AD0B5

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4a483dfc891a44862d1735f82b3dc5eefb40d4be25cb2af4ab675b360681f24b
Instruction ID: 447e7e78a774a5a57d2f27eb318a55a52659cc9b57d4b302de0bbae0af4baaa9
Opcode Fuzzy Hash: 4a483dfc891a44862d1735f82b3dc5eefb40d4be25cb2af4ab675b360681f24b
Instruction Fuzzy Hash: ED613973904200FFDF26AFB8984976A7B95AF87320F04436DFA55A7242D63D9D01CB50

Function 008050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00805186
ShowWindow.USER32(?,00000000), ref: 008051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008051D1

Part of subcall function 00806FBA: DeleteObject.GDI32(00000000), ref: 00806FE6

GetWindowLongW.USER32(?,000000F0), ref: 0080520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0080521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0080524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00805287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00805296

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 4f9669c97c88fe650a68abeb506b2a68bc02bdf6bf015626285747a2cf0d57b7
Instruction ID: c231fa7c544f7db204a72c049ddbc24aa8b18154fd8240c2d2940ee10ea1d156
Opcode Fuzzy Hash: 4f9669c97c88fe650a68abeb506b2a68bc02bdf6bf015626285747a2cf0d57b7
Instruction Fuzzy Hash: 75518D30A91A09FFEFA09F28CC4AB9A3B65FF05325F148111F625D62E0C775A990DF61

Function 00788B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 007C6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007C68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007C68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007C68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007C68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00788874,00000000,00000000,00000000,000000FF,00000000), ref: 007C6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007C691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00788874,00000000,00000000,00000000,000000FF,00000000), ref: 007C692D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 464266b508f5d38e9470413934925cf61716879abea773da968992b393809640
Instruction ID: 2f521138f7a5dc72e2ad9eefe15b38fbaf61bc12366e74551a59a78ebd6aeb55
Opcode Fuzzy Hash: 464266b508f5d38e9470413934925cf61716879abea773da968992b393809640
Instruction Fuzzy Hash: 9F518AB0640209EFDB60EF24CC95FAA7BB5FB98750F10461CF916972A0DB78E990DB50

Function 007EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007EC182
GetLastError.KERNEL32 ref: 007EC195
SetEvent.KERNEL32(?), ref: 007EC1A9

Part of subcall function 007EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007EC272
Part of subcall function 007EC253: GetLastError.KERNEL32 ref: 007EC322
Part of subcall function 007EC253: SetEvent.KERNEL32(?), ref: 007EC336
Part of subcall function 007EC253: InternetCloseHandle.WININET(00000000), ref: 007EC341

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4829ae913a1884b7fba43a8154d6c2f820d62f1e1930afecc7a592dd49e1c077
Instruction ID: 50b425e1c92e36a9966a22f3a9e5c551372eb86243fbbeb728623c36e17bc417
Opcode Fuzzy Hash: 4829ae913a1884b7fba43a8154d6c2f820d62f1e1930afecc7a592dd49e1c077
Instruction Fuzzy Hash: 4A318F79202685EFDB229FAADC44A76BBFDFF1C300B04451DFA5686610D738E8169B60

Function 007D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007D3A57
Part of subcall function 007D3A3D: GetCurrentThreadId.KERNEL32 ref: 007D3A5E
Part of subcall function 007D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007D25B3), ref: 007D3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007D25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007D25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007D25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007D25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007D2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 007D2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 007D260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007D2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 007D2627

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 809ca6deea9001341fabd8298789e92a55ad2ca6fecfc6752271f729064ac10e
Instruction ID: 73190c2740902d5ab93d486a8574369f7e86306eac7df175d2c0a9a9912d4708
Opcode Fuzzy Hash: 809ca6deea9001341fabd8298789e92a55ad2ca6fecfc6752271f729064ac10e
Instruction Fuzzy Hash: 5A01D830390210BBFB606B689C8EF593F69EB5EB11F100106F314AF1D1C9E654458AAA

Function 007D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,007D1449,?,?,00000000), ref: 007D180C
HeapAlloc.KERNEL32(00000000,?,007D1449,?,?,00000000), ref: 007D1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007D1449,?,?,00000000), ref: 007D1828
GetCurrentProcess.KERNEL32(?,00000000,?,007D1449,?,?,00000000), ref: 007D1830
DuplicateHandle.KERNEL32(00000000,?,007D1449,?,?,00000000), ref: 007D1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007D1449,?,?,00000000), ref: 007D1843
GetCurrentProcess.KERNEL32(007D1449,00000000,?,007D1449,?,?,00000000), ref: 007D184B
DuplicateHandle.KERNEL32(00000000,?,007D1449,?,?,00000000), ref: 007D184E
CreateThread.KERNEL32(00000000,00000000,007D1874,00000000,00000000,00000000), ref: 007D1868

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f81218f9edcb7c66f0eb2cc5b532786f3ac23ecd330f2b7675af82f591721500
Instruction ID: 4f61a038fdc760744ff3119441266ada13117cbf5db7da101df4d5952b3c2e50
Opcode Fuzzy Hash: f81218f9edcb7c66f0eb2cc5b532786f3ac23ecd330f2b7675af82f591721500
Instruction Fuzzy Hash: 1701BBB5240308BFE750AFA5DC4DF6B7BACFB89B11F418511FA05DB2A2CA749800CB20

Function 007A3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 007A3F0B
__alldvrm.LIBCMT ref: 007A410C
__alldvrm.LIBCMT ref: 007A412E

Strings

}}y, xrefs: 007A40CD
}}y, xrefs: 007A3E8A
}}y, xrefs: 007A3E96, 007A3EF1, 007A3F0A, 007A4090

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}y$}}y$}}y
API String ID: 1036877536-1917491473
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 068a21e564a763bfb6107686cc08dc82abec53634eda17ad242182b02678879e
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 8AA14872E103869FDB15CF18C8917AEBBE4EFE3350F1442ADE5959B282C2BD8981C750

Function 007FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 007DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 007DD501
Part of subcall function 007DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 007DD50F
Part of subcall function 007DD4DC: CloseHandle.KERNEL32(00000000), ref: 007DD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007FA16D
GetLastError.KERNEL32 ref: 007FA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007FA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 007FA268
GetLastError.KERNEL32(00000000), ref: 007FA273
CloseHandle.KERNEL32(00000000), ref: 007FA2C4

Strings

SeDebugPrivilege, xrefs: 007FA18F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4e0b7f7a03a81709def100e0469e1507e0050efd2414102ca72bea8c947c72fc
Instruction ID: 2d8a8aadecf7bc6c9cb7facfa51950bc30d46059712e7d6dd4deafc8d1fc55bc
Opcode Fuzzy Hash: 4e0b7f7a03a81709def100e0469e1507e0050efd2414102ca72bea8c947c72fc
Instruction Fuzzy Hash: E4618F71204246AFD710DF18C498F29BBE1BF84318F19849CE56A4B7A3C77AED45CB92

Function 00803886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00803925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0080393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00803954
_wcslen.LIBCMT ref: 00803999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008039F4

Strings

SysListView32, xrefs: 008038F7

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 513571a21c126df8f73cc2e25a4c4d27a9fda8b86491df6a97a433ca538aabe0
Instruction ID: 8ee8f4defb5f41cfe7d7cec58d7f995cb8d9b8c64d27c1e639df673491ec9cb1
Opcode Fuzzy Hash: 513571a21c126df8f73cc2e25a4c4d27a9fda8b86491df6a97a433ca538aabe0
Instruction Fuzzy Hash: 4041A071A00219ABEF619F64CC49FEA7BADFF08350F10052AF958E72C1D7759A80CB90

Function 007DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007DBCFD
IsMenu.USER32(00000000), ref: 007DBD1D
CreatePopupMenu.USER32 ref: 007DBD53
GetMenuItemCount.USER32(010A68D0), ref: 007DBDA4
InsertMenuItemW.USER32(010A68D0,?,00000001,00000030), ref: 007DBDCC

Strings

0, xrefs: 007DBCA8
2, xrefs: 007DBD37

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2842445db0e20baeee46d0d61f7ef6c995a0a1ff92a50d98bd9dd092be8b0438
Instruction ID: 7f231cb3f2ecd7ed835c0eace1e409fa38b922eed36afa9f8e1098c977311b45
Opcode Fuzzy Hash: 2842445db0e20baeee46d0d61f7ef6c995a0a1ff92a50d98bd9dd092be8b0438
Instruction Fuzzy Hash: 8951AF70B00205EBDF11CFA8D888BAEBBF6BF49314F15425BE44197391D778A941CB61

Function 00792D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00792D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00792D53
_ValidateLocalCookies.LIBCMT ref: 00792DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00792E0C
_ValidateLocalCookies.LIBCMT ref: 00792E61

Strings

csm, xrefs: 00792DF6
&Hy, xrefs: 00792DFE, 00792E07, 00792E18

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hy$csm
API String ID: 1170836740-3238203172
Opcode ID: d45156fdf437b89192cfc2a1b8d372bc03c0d42133c7961df6ea1b2b8dec2749
Instruction ID: 85ce1ba64ae360ec310ff301e5e735a0f654e3f7c613be67a16c60059c7d47b9
Opcode Fuzzy Hash: d45156fdf437b89192cfc2a1b8d372bc03c0d42133c7961df6ea1b2b8dec2749
Instruction Fuzzy Hash: F041B534A01209FBCF14EF68D849A9EBBB5BF45324F148155E814AB393D7399E02CBD0

Function 007DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007DC913

Strings

question, xrefs: 007DC8CC
warning, xrefs: 007DC8FC
info, xrefs: 007DC8B4
stop, xrefs: 007DC8E4
blank, xrefs: 007DC895

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 231adf7b462b8b2c04bfce736aa382e752bda636aff1557ce044d0e381594dc8
Instruction ID: cf38743cf32d7f812a00a7deb7b215f218a100a83ac5ebbc99eed7e4e868cd2a
Opcode Fuzzy Hash: 231adf7b462b8b2c04bfce736aa382e752bda636aff1557ce044d0e381594dc8
Instruction Fuzzy Hash: 6D11EB31689307BEEB025B54EC93CAA67BCEF15364B50412BF500E6382E77C6D0192A4

Function 007DDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007DDE42
gethostname.WSOCK32(?,00000100), ref: 007DDE5C
gethostbyname.WSOCK32(?), ref: 007DDE69
inet_ntoa.WSOCK32(?), ref: 007DDEAB
_strcat.LIBCMT ref: 007DDEB9
WSACleanup.WSOCK32 ref: 007DDEDE

Strings

0.0.0.0, xrefs: 007DDE87

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1d8bf474562f1bdd0a1ad0e31a0eaac1cf87f25d00c039ff6d15e4db32e6eaaf
Instruction ID: 4e1d2b56adf0be60dee62c792e122225de842b4d522e8352024ae81340719617
Opcode Fuzzy Hash: 1d8bf474562f1bdd0a1ad0e31a0eaac1cf87f25d00c039ff6d15e4db32e6eaaf
Instruction Fuzzy Hash: 0011E771904104EFCB306B649C0AEDE777CEB14711F04016AF44596291EF789E818B50

Function 00809F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00789BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00789BB2

GetSystemMetrics.USER32(0000000F), ref: 00809FC7
GetSystemMetrics.USER32(0000000F), ref: 00809FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0080A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0080A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0080A263
ShowWindow.USER32(00000003,00000000), ref: 0080A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0080A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0080A2CA

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 8c412ea0810832b52bb312b00c323b923b16a598a28b47428eb4e58859e6e8aa
Instruction ID: 7e88a5a20b6736788197d311ebe4fb828d40f7e04fdca72031fc65dee00edfa7
Opcode Fuzzy Hash: 8c412ea0810832b52bb312b00c323b923b16a598a28b47428eb4e58859e6e8aa
Instruction Fuzzy Hash: A3B18935600219EFDF58CF68C9857AE7BB2FF48701F098169EC89DB295DB31A940CB51

Function 007DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007DED2A
_wcslen.LIBCMT ref: 007DED3B
_wcslen.LIBCMT ref: 007DED79
_wcslen.LIBCMT ref: 007DEDAF
_wcslen.LIBCMT ref: 007DEDDF
_wcslen.LIBCMT ref: 007DEDEF
_wcslen.LIBCMT ref: 007DEE2B
_wcslen.LIBCMT ref: 007DEE5A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 98a7de81358668e93d2f6a7c082c4ce86c3d5ef6cfd54fe463175875151b6c39
Instruction ID: e928c34635bf35643081e2cc9b3d9fbf57e3c67ed96e0bd7074e8c82fe47fd27
Opcode Fuzzy Hash: 98a7de81358668e93d2f6a7c082c4ce86c3d5ef6cfd54fe463175875151b6c39
Instruction Fuzzy Hash: 88418066C10218B5DF11FBB49C8E9CFB7B8AF45710F508562E518E3222FB38E655C3A5

Function 0078F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,007C682C,00000004,00000000,00000000), ref: 0078F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,007C682C,00000004,00000000,00000000), ref: 007CF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,007C682C,00000004,00000000,00000000), ref: 007CF454

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0aa4496c799721a1e83ee6a370163fdffa3035185faf42ee15862e2d607db570
Instruction ID: a7029f782ebec5749f6e9fc4dbeb332bcc587591009897b2bf841173df195298
Opcode Fuzzy Hash: 0aa4496c799721a1e83ee6a370163fdffa3035185faf42ee15862e2d607db570
Instruction Fuzzy Hash: F7411531648680FEC739AF2DC888B2A7F92BB56320F14453CE087D6660C63EB980CB11

Function 00802D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00802D1B
GetDC.USER32(00000000), ref: 00802D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00802D2E
ReleaseDC.USER32(00000000,00000000), ref: 00802D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00802D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00802D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00805A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00802DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00802DE1

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d301b8292e6e77a3146fac3ab5ad77fc42d1a5cd302a1e6e6f925b0381b9a902
Instruction ID: ced511fd39f1fa56090cd0f400c3a80500d584e537d85659682e313431730232
Opcode Fuzzy Hash: d301b8292e6e77a3146fac3ab5ad77fc42d1a5cd302a1e6e6f925b0381b9a902
Instruction Fuzzy Hash: 19317872201214ABEBA18F548C8AFAB3BA9FB1A711F044155FE08DA2D1C6B59C41CBA0

Function 007D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007D5637
_memcmp.LIBVCRUNTIME ref: 007D5659
_memcmp.LIBVCRUNTIME ref: 007D5671
_memcmp.LIBVCRUNTIME ref: 007D5684
_memcmp.LIBVCRUNTIME ref: 007D569E
_memcmp.LIBVCRUNTIME ref: 007D56B1
_memcmp.LIBVCRUNTIME ref: 007D56C9
_memcmp.LIBVCRUNTIME ref: 007D56E4

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6685076326dc5db78050ef37e39940aea8c1de181e87791e64b5d60f2e1a2f2d
Instruction ID: 19eabeb6f2701306dde603ac5546525d5d0831e9e41086fe9aac431f20ab0c48
Opcode Fuzzy Hash: 6685076326dc5db78050ef37e39940aea8c1de181e87791e64b5d60f2e1a2f2d
Instruction Fuzzy Hash: 1E212C61744A19F7E61555109D87FFA337CFF20B94F944022FE149AB82F72CED2086A5

Function 007F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 007F502E, 007F5383
Not an Object type, xrefs: 007F5007

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8fdd78773fd525c22e73f207052e586a68c63ae35325d5b9e3eb2308eeb3427f
Instruction ID: 05ab46e38483b1a66026c6267c28b6bfa961768fed64c4951903288a2f15f4d4
Opcode Fuzzy Hash: 8fdd78773fd525c22e73f207052e586a68c63ae35325d5b9e3eb2308eeb3427f
Instruction Fuzzy Hash: BCD18071A0060EAFDB10CF68C885BBEB7B5BF48354F148169EA15AB381E774DD41CB90

Function 007B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 007B15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007B1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007B16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007B16FB

Part of subcall function 007A3820: RtlAllocateHeap.NTDLL(00000000,?,00841444,?,0078FDF5,?,?,0077A976,00000010,00841440,007713FC,?,007713C6,?,00771129), ref: 007A3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007B1777
__freea.LIBCMT ref: 007B17A2
__freea.LIBCMT ref: 007B17AE

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6fa8af8e740b1f492a4343924a15f005fad49df84e2e72093805dab65eef638d
Instruction ID: 69f360c365e9cf206217ffff0de2459804920d125fcbaf74d7edcd1e995ce034
Opcode Fuzzy Hash: 6fa8af8e740b1f492a4343924a15f005fad49df84e2e72093805dab65eef638d
Instruction Fuzzy Hash: 1691A271E102169ADB208F74C8A5BEEBBB5AF49310FD84669F801E7141DB2DDD40CBA0

Function 007F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007F4648
VariantInit.OLEAUT32(?), ref: 007F4749
VariantClear.OLEAUT32(?), ref: 007F4753
VariantClear.OLEAUT32(?), ref: 007F47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007F45D8, 007F4706, 007F47BE
Incorrect Object type in FOR..IN loop, xrefs: 007F472C

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1582eb9cf53258d6905b92a4a4b1ec498ffc49b566d3b9671b3b61ce188a8d5b
Instruction ID: 9d592c23d4963a0b44bb23b3ba9e8d5f611e7c7edd2d0b05bc1238ffc61d22ad
Opcode Fuzzy Hash: 1582eb9cf53258d6905b92a4a4b1ec498ffc49b566d3b9671b3b61ce188a8d5b
Instruction Fuzzy Hash: 90917F71A00219ABDF20DFA5C888EAFB7B8FF46714F108559F615AB380D7789945CBA0

Function 007E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 007E125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 007E1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007E12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007E12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007E135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007E13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007E1430

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 2e234c5035646b46bd4f9b8cf47af50a82c9cbff803addcc21a214397e0677fa
Instruction ID: c6bd373a940f096027c7dadd402e1d834061c5fd06e0ab042a953091a95ea94c
Opcode Fuzzy Hash: 2e234c5035646b46bd4f9b8cf47af50a82c9cbff803addcc21a214397e0677fa
Instruction Fuzzy Hash: 4591D575A01248DFDB00DFA5C88ABBE77B9FF49325F514029EA00EB291D77CA941CB90

Function 0078948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 85167bf8c7e4050ea02feaad7c08460ca0ecb0cbf8ec0305f142d07d1a159ad8
Instruction ID: d715b1b912f6e54f4be4b84de584e64300f4d622d8b6229bcc43210ae2645f1c
Opcode Fuzzy Hash: 85167bf8c7e4050ea02feaad7c08460ca0ecb0cbf8ec0305f142d07d1a159ad8
Instruction Fuzzy Hash: 46914771940209EFCB14DFA9C888AEEBBB8FF49320F188149E515B7291D778A951CB60

Function 007F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007F396B
CharUpperBuffW.USER32(?,?), ref: 007F3A7A
_wcslen.LIBCMT ref: 007F3A8A
VariantClear.OLEAUT32(?), ref: 007F3C1F

Part of subcall function 007E0CDF: VariantInit.OLEAUT32(00000000), ref: 007E0D1F
Part of subcall function 007E0CDF: VariantCopy.OLEAUT32(?,?), ref: 007E0D28
Part of subcall function 007E0CDF: VariantClear.OLEAUT32(?), ref: 007E0D34

Strings

Incorrect Parameter format, xrefs: 007F39A6, 007F3BA1
AUTOIT.ERROR, xrefs: 007F3A80, 007F3A85

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 4a93eb20fac34d609e84ed390175d009c3eee7aefc2d0f686bcdfa74cb1be9d2
Instruction ID: 5070b663e75e34efa2c6cf2c92deb97a56aaa6fea9ea39de77e8c61f84a10012
Opcode Fuzzy Hash: 4a93eb20fac34d609e84ed390175d009c3eee7aefc2d0f686bcdfa74cb1be9d2
Instruction Fuzzy Hash: 5D914674608309DFCB04EF24C49596AB7E4BF88314F14892EF9899B351DB39EE45CB92

Function 007F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 007D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,007CFF41,80070057,?,?,?,007D035E), ref: 007D002B
Part of subcall function 007D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007CFF41,80070057,?,?), ref: 007D0046
Part of subcall function 007D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007CFF41,80070057,?,?), ref: 007D0054
Part of subcall function 007D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007CFF41,80070057,?), ref: 007D0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 007F4C51
_wcslen.LIBCMT ref: 007F4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 007F4DCF
CoTaskMemFree.OLE32(?), ref: 007F4DDA

Strings

NULL Pointer assignment, xrefs: 007F4E23, 007F4E52

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 273756e4d3851c9d902a16d2dd72838a178b0226b446b27e5c01af34c8294f58
Instruction ID: b52c27601bf1e5ab29cd63bfa7933af2643a37d9678c190fe284a3fcffbf0bc6
Opcode Fuzzy Hash: 273756e4d3851c9d902a16d2dd72838a178b0226b446b27e5c01af34c8294f58
Instruction Fuzzy Hash: 85912971D0021DEFDF14DFA4C895AEEB7B8BF48314F10816AE619A7251DB389A44CFA0

Function 008020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00802183
GetMenuItemCount.USER32(00000000), ref: 008021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008021DD
_wcslen.LIBCMT ref: 00802213
GetMenuItemID.USER32(?,?), ref: 0080224D
GetSubMenu.USER32(?,?), ref: 0080225B

Part of subcall function 007D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007D3A57
Part of subcall function 007D3A3D: GetCurrentThreadId.KERNEL32 ref: 007D3A5E
Part of subcall function 007D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007D25B3), ref: 007D3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008022E3

Part of subcall function 007DE97B: Sleep.KERNEL32 ref: 007DE9F3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c5c0bf5da8da4bf5db083a786bacaea935066768a97437be778a8004a659ab8a
Instruction ID: 91269a570e1e6a7182df64729b381ed7ba1ca225f5269173c6f1ccfcb1c88167
Opcode Fuzzy Hash: c5c0bf5da8da4bf5db083a786bacaea935066768a97437be778a8004a659ab8a
Instruction Fuzzy Hash: BA718E75A00215EFCB51EFA4CC49AAEB7F5FF48310F148459E816EB391DB78AD418B90

Function 00807E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010A6C18), ref: 00807F37
IsWindowEnabled.USER32(010A6C18), ref: 00807F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0080801E
SendMessageW.USER32(010A6C18,000000B0,?,?), ref: 00808051
IsDlgButtonChecked.USER32(?,?), ref: 00808089
GetWindowLongW.USER32(010A6C18,000000EC), ref: 008080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008080C3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: dc6d5cab5054e62689e75bdc9f1d92326b41c48562ef6ac789e00c7b1d0484f6
Instruction ID: 1e613858d115f56d9b7a624dfb558bd1681432932bdfa719baa04dbe4561b8d3
Opcode Fuzzy Hash: dc6d5cab5054e62689e75bdc9f1d92326b41c48562ef6ac789e00c7b1d0484f6
Instruction Fuzzy Hash: 18716C34A08249EFEFB19F54CC94FAABBB5FF1A300F144459E955D72A1CB31A885DB20

Function 007DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007DAEF9
GetKeyboardState.USER32(?), ref: 007DAF0E
SetKeyboardState.USER32(?), ref: 007DAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 007DAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 007DAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 007DAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007DB020

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 86bea82f8158ab96334126bbbd628e40f2832d08127db95c6f7a626ca4799dae
Instruction ID: d3d615f5646f3a58181a263b3601e17fb85124d3da204fff067cd3897f3fd1d0
Opcode Fuzzy Hash: 86bea82f8158ab96334126bbbd628e40f2832d08127db95c6f7a626ca4799dae
Instruction Fuzzy Hash: 4D51D1A1A047D57DFB3643348849BBBBEB96B06304F08858AE1E9459C2C39DE9C8D761

Function 007DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007DAD19
GetKeyboardState.USER32(?), ref: 007DAD2E
SetKeyboardState.USER32(?), ref: 007DAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007DADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007DADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007DAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007DAE38

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6ea0a97096d9690e37fb0b25023ab47916ecf79f6abcacebf1eda6c0c41c1e00
Instruction ID: 1dba3520c28bc2f1d85baef9936855cf3c26162d572aa5f67792db7e264d4509
Opcode Fuzzy Hash: 6ea0a97096d9690e37fb0b25023ab47916ecf79f6abcacebf1eda6c0c41c1e00
Instruction Fuzzy Hash: 6E51D5A16047D53DFB3683348C56B7A7FB97B46300F08858AE1D556AC2D29CEC88E762

Function 007A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(007B3CD6,?,?,?,?,?,?,?,?,007A5BA3,?,?,007B3CD6,?,?), ref: 007A5470
__fassign.LIBCMT ref: 007A54EB
__fassign.LIBCMT ref: 007A5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,007B3CD6,00000005,00000000,00000000), ref: 007A552C
WriteFile.KERNEL32(?,007B3CD6,00000000,007A5BA3,00000000,?,?,?,?,?,?,?,?,?,007A5BA3,?), ref: 007A554B
WriteFile.KERNEL32(?,?,00000001,007A5BA3,00000000,?,?,?,?,?,?,?,?,?,007A5BA3,?), ref: 007A5584

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e573290df054a4f6e66ca1a6cf60e85ed797e05e7dc27e1e5e71c94f40c59bcc
Instruction ID: 300417f962804ac7350cc23edd0547b67bfc43a6d5c23cdba87e7bc0066b6bde
Opcode Fuzzy Hash: e573290df054a4f6e66ca1a6cf60e85ed797e05e7dc27e1e5e71c94f40c59bcc
Instruction Fuzzy Hash: 6F51D471E006499FDB10CFA8D845AEEBBFAFF4A300F14421AF955E7291E7349A51CB60

Function 007F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007F307A
Part of subcall function 007F304E: _wcslen.LIBCMT ref: 007F309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007F1112
WSAGetLastError.WSOCK32 ref: 007F1121
WSAGetLastError.WSOCK32 ref: 007F11C9
closesocket.WSOCK32(00000000), ref: 007F11F9

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e2d9949c572b3d1eaf828ae3986e8e3c4e257a59fcdff6fe28db740693d804da
Instruction ID: 5e8b7ed999b0932709a1a9227fb069fe7e806e1666aa510c1ff8320175b22d4a
Opcode Fuzzy Hash: e2d9949c572b3d1eaf828ae3986e8e3c4e257a59fcdff6fe28db740693d804da
Instruction Fuzzy Hash: 7541C33160020CEFDB109F24C889BB9B7E9FF45364F548159FA199B391C778AD41CBA1

Function 007DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007DCF22,?), ref: 007DDDFD

Part of subcall function 007DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007DCF22,?), ref: 007DDE16

lstrcmpiW.KERNEL32(?,?), ref: 007DCF45
MoveFileW.KERNEL32(?,?), ref: 007DCF7F
_wcslen.LIBCMT ref: 007DD005
_wcslen.LIBCMT ref: 007DD01B
SHFileOperationW.SHELL32(?), ref: 007DD061

Strings

\*.*, xrefs: 007DCFF3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b24a3d1c0ff01aecae7cf978e77539a1237aa2063d2b8d00d5cd573107392a0d
Instruction ID: 36d32938a45aa50a233d0aa3e431673f06528a4e5dda2b75140867fd8415b3d6
Opcode Fuzzy Hash: b24a3d1c0ff01aecae7cf978e77539a1237aa2063d2b8d00d5cd573107392a0d
Instruction Fuzzy Hash: EB4137729452199FDF13EFA4D985ADDB7B9AF48380F1400E7E505EB241EB38AA44CB50

Function 00802DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00802E1C
GetWindowLongW.USER32(?,000000F0), ref: 00802E4F
GetWindowLongW.USER32(?,000000F0), ref: 00802E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00802EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00802EE0
GetWindowLongW.USER32(?,000000F0), ref: 00802EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00802F0B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ac2100d68c9ec69817ae6ed1481266e114f5afc7418855e8bbf9c50ef0344b33
Instruction ID: 7d6d6c14581ffb861f1897fe1613fb862d46d08192ccfa0d53681f29d4b5bff5
Opcode Fuzzy Hash: ac2100d68c9ec69817ae6ed1481266e114f5afc7418855e8bbf9c50ef0344b33
Instruction Fuzzy Hash: 58311534685144AFDBA0CF58DC88F653BE4FB5A750F1401A4FA15CB2F2CBB1A880DB01

Function 007D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007D7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007D778F
SysAllocString.OLEAUT32(00000000), ref: 007D7792
SysAllocString.OLEAUT32(?), ref: 007D77B0
SysFreeString.OLEAUT32(?), ref: 007D77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007D77DE
SysAllocString.OLEAUT32(?), ref: 007D77EC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5a8d3e8961943e4597f206814680ba153a5619252b18b5f77f5a287436d0664b
Instruction ID: b55136538042f380b0eba41d62d0bd76b54b0ac8588e0dbbdaa9d8776e073ad7
Opcode Fuzzy Hash: 5a8d3e8961943e4597f206814680ba153a5619252b18b5f77f5a287436d0664b
Instruction Fuzzy Hash: 27219076604219AFDB14EFA8CC88CBB77ACFB097747048526FA15DB2A0E674DC41CB64

Function 007D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007D7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007D7868
SysAllocString.OLEAUT32(00000000), ref: 007D786B
SysAllocString.OLEAUT32 ref: 007D788C
SysFreeString.OLEAUT32 ref: 007D7895
StringFromGUID2.OLE32(?,?,00000028), ref: 007D78AF
SysAllocString.OLEAUT32(?), ref: 007D78BD

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4f0843a58123389dfcebf01b2ae8e229372e3dde37a4f8296d1c7ea508a7923f
Instruction ID: d551198714c6917c684359437dc3f49f30d4df07df46f6b8bb417264eb2a17dd
Opcode Fuzzy Hash: 4f0843a58123389dfcebf01b2ae8e229372e3dde37a4f8296d1c7ea508a7923f
Instruction Fuzzy Hash: 98215335608204AFDB14AFB8DC8DDAA77FCFB097607108126F915CB2A1E678DC41DB64

Function 007E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007E04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007E052E

Strings

nul, xrefs: 007E0567

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 035749a5596aee2949bffe7df0e9b224a46d108d5749008955b945a51289fbe8
Instruction ID: 12a77032455488fff5d43d0538ca0e206a18495e78052d5c15f9267ce660ed40
Opcode Fuzzy Hash: 035749a5596aee2949bffe7df0e9b224a46d108d5749008955b945a51289fbe8
Instruction Fuzzy Hash: F7219171501345AFDB208F2ADC08E9A77B4BF49724F204A19F8A1D72E0D7B4D9A0CFA0

Function 007E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007E05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007E0601

Strings

nul, xrefs: 007E0639

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2963c7f11b8e5c437434729c8e20941b880204d3a508f7ae63352d92885e10fc
Instruction ID: 4fb3c7ac8066b23dc4a01d54f843d4965c11651aba374a7e50f96d8d8ccae573
Opcode Fuzzy Hash: 2963c7f11b8e5c437434729c8e20941b880204d3a508f7ae63352d92885e10fc
Instruction Fuzzy Hash: B72192755013459BDB209F6ADC08B9A77F4BF99720F240B19F8A1E72E0D7F498A0CB90

Function 008040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0077604C
Part of subcall function 0077600E: GetStockObject.GDI32(00000011), ref: 00776060
Part of subcall function 0077600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00804112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0080411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0080412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00804139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00804145

Strings

Msctls_Progress32, xrefs: 008040E3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e49246a35a8969d4a3472fe9f658b8c6f768d8613d9576101e060d547d6b34c1
Instruction ID: bd8d9b37358b1d25a1e6bedfef346d10950c6f5d6bf5e4ba53c068da4e5b45eb
Opcode Fuzzy Hash: e49246a35a8969d4a3472fe9f658b8c6f768d8613d9576101e060d547d6b34c1
Instruction Fuzzy Hash: 96118EB218021DBEEF619E64CC85EE77F6DFF18798F004110BB18E2190CA769C61DBA4

Function 007AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007AD7A3: _free.LIBCMT ref: 007AD7CC

_free.LIBCMT ref: 007AD82D

Part of subcall function 007A29C8: HeapFree.KERNEL32(00000000,00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000), ref: 007A29DE
Part of subcall function 007A29C8: GetLastError.KERNEL32(00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000,00000000), ref: 007A29F0

_free.LIBCMT ref: 007AD838
_free.LIBCMT ref: 007AD843
_free.LIBCMT ref: 007AD897
_free.LIBCMT ref: 007AD8A2
_free.LIBCMT ref: 007AD8AD
_free.LIBCMT ref: 007AD8B8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 02719992826948fe385c18085575b22d030f6fab895d37a595332b07766ef863
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 09115171540B04EAD531BFB0CC4FFCB7BDC6F82700F400A25B29AA68B3DA6DB9064A51

Function 007DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007DDA74
LoadStringW.USER32(00000000), ref: 007DDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007DDA91
LoadStringW.USER32(00000000), ref: 007DDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007DDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007DDAB9

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 7ff13fe97245a2471109bbdf93d71f2eda4bcfcf605ee0627e59ec4c21ac8489
Instruction ID: ba571193234c5bb2440b917cbf6c6292c4cd4f977a974b9c7bd8d012b11d297e
Opcode Fuzzy Hash: 7ff13fe97245a2471109bbdf93d71f2eda4bcfcf605ee0627e59ec4c21ac8489
Instruction Fuzzy Hash: 4E016DF6900208BFE750ABE4DD89EEB376CFB08301F404596B716E2181EA749E848F74

Function 007E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0109C7E8,0109C7E8), ref: 007E097B
EnterCriticalSection.KERNEL32(0109C7C8,00000000), ref: 007E098D
TerminateThread.KERNEL32(?,000001F6), ref: 007E099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007E09A9
CloseHandle.KERNEL32(?), ref: 007E09B8
InterlockedExchange.KERNEL32(0109C7E8,000001F6), ref: 007E09C8
LeaveCriticalSection.KERNEL32(0109C7C8), ref: 007E09CF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c36fb211e4e5b44a64a8310c2f8f4ebf5bd6016e0f9829765942b91a707b307e
Instruction ID: 5f51cf2bb656bb407a6150a7b42f6437b7232a0fec0da32fd610e877a689af47
Opcode Fuzzy Hash: c36fb211e4e5b44a64a8310c2f8f4ebf5bd6016e0f9829765942b91a707b307e
Instruction Fuzzy Hash: 4CF0EC32542A12BBD7915FA4EE8DBD6BB39FF05702F402225F20290CB1C775A465CF90

Function 00775D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00775D30
GetWindowRect.USER32(?,?), ref: 00775D71
ScreenToClient.USER32(?,?), ref: 00775D99
GetClientRect.USER32(?,?), ref: 00775ED7
GetWindowRect.USER32(?,?), ref: 00775EF8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 60d08f0a0765277af2723e5f5a5e2232428ee9a27382e5a3e087ad996613fe42
Instruction ID: 4bd262ab035e0e9c193a9b83b4136b3e2b4a9ba15b1e3fa01fa1e9c15c9a5558
Opcode Fuzzy Hash: 60d08f0a0765277af2723e5f5a5e2232428ee9a27382e5a3e087ad996613fe42
Instruction Fuzzy Hash: 27B16735A00A4ADBDF10CFA9C4807EEB7F1FF58310F14851AE8A9D7250DB78AA51DB54

Function 007A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007A00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007A00D6
__allrem.LIBCMT ref: 007A00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007A010B
__allrem.LIBCMT ref: 007A0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007A0140

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: c9ae4a97023d90d9e11598753216e139716703e96f8a6f7f513c048c0da459c7
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 7081F776A00706DBEB249F68DC45BAF73E9AF82324F24473AF551D7681E778D9008B90

Function 007F1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007F3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,007F101C,00000000,?,?,00000000), ref: 007F3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007F1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007F1DE1
WSAGetLastError.WSOCK32 ref: 007F1DF2
inet_ntoa.WSOCK32(?), ref: 007F1E8C
htons.WSOCK32(?,?,?,?,?), ref: 007F1EDB
_strlen.LIBCMT ref: 007F1F35

Part of subcall function 007D39E8: _strlen.LIBCMT ref: 007D39F2

Part of subcall function 00776D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0078CF58,?,?,?), ref: 00776DBA
Part of subcall function 00776D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0078CF58,?,?,?), ref: 00776DED

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: ce6878b92e245ffd059134ec5adf530a9d343f64fb2939e7556a2dc861a1e7b4
Instruction ID: bb27389a837600b7cbd37da8616911c66ed61e2e1e4176e3862ca8011b4fd53e
Opcode Fuzzy Hash: ce6878b92e245ffd059134ec5adf530a9d343f64fb2939e7556a2dc861a1e7b4
Instruction Fuzzy Hash: 4DA1BD30204344EFC724EB24C889E3A77E5AF84318F94895CF55A5B3A2CB39ED46CB91

Function 007A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007982D9,007982D9,?,?,?,007A644F,00000001,00000001,8BE85006), ref: 007A6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007A644F,00000001,00000001,8BE85006,?,?,?), ref: 007A62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007A63D8
__freea.LIBCMT ref: 007A63E5

Part of subcall function 007A3820: RtlAllocateHeap.NTDLL(00000000,?,00841444,?,0078FDF5,?,?,0077A976,00000010,00841440,007713FC,?,007713C6,?,00771129), ref: 007A3852

__freea.LIBCMT ref: 007A63EE
__freea.LIBCMT ref: 007A6413

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 176367618619b9171a9d67ee8b7ad6ee2df3ea7d1265bf08a22aa4bd054bb41a
Instruction ID: 5d34cf38f3639ee653999e371596efb7b7e1f2d9bb28180881e4d65ee4b7d850
Opcode Fuzzy Hash: 176367618619b9171a9d67ee8b7ad6ee2df3ea7d1265bf08a22aa4bd054bb41a
Instruction Fuzzy Hash: 2251A172A00216EBEF258F64DC85EAF77AAEF86750F194729FD05D6180DB38DC41C6A0

Function 007FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007FB6AE,?,?), ref: 007FC9B5
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FC9F1
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FCA68
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007FBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007FBD25
RegCloseKey.ADVAPI32(00000000), ref: 007FBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007FBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007FBDF3
RegCloseKey.ADVAPI32(?), ref: 007FBDFF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 26397337874a83548e9f318f8854215fa7efb974a212fccb75af3e01f8c54418
Instruction ID: 404891cf0069bb1e44e287fbcbb6d8723900bbfa1de59cd1a565360bca906420
Opcode Fuzzy Hash: 26397337874a83548e9f318f8854215fa7efb974a212fccb75af3e01f8c54418
Instruction Fuzzy Hash: EC819D30208245EFD714DF24C895E2ABBE5FF84348F14896CF6598B2A2DB35ED45CB92

Function 007CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 007CF7B9
SysAllocString.OLEAUT32(00000001), ref: 007CF860
VariantCopy.OLEAUT32(007CFA64,00000000), ref: 007CF889
VariantClear.OLEAUT32(007CFA64), ref: 007CF8AD
VariantCopy.OLEAUT32(007CFA64,00000000), ref: 007CF8B1
VariantClear.OLEAUT32(?), ref: 007CF8BB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: dc8e1de0378a34042fb1c1d2accfb0e6e72e528f44aef2a6d02fdb790faba046
Instruction ID: ba2a089410a69107af2d459f705efd79bf2c84254d6feecda9b4f54cb59e2c31
Opcode Fuzzy Hash: dc8e1de0378a34042fb1c1d2accfb0e6e72e528f44aef2a6d02fdb790faba046
Instruction Fuzzy Hash: B2519231601310EBCF24AB65D899F29B3E6EF45710B24946FE906DF291DB789C40C7A7

Function 007E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00777620: _wcslen.LIBCMT ref: 00777625

Part of subcall function 00776B57: _wcslen.LIBCMT ref: 00776B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007E94E5
_wcslen.LIBCMT ref: 007E9506
_wcslen.LIBCMT ref: 007E952D
GetSaveFileNameW.COMDLG32(00000058), ref: 007E9585

Strings

X, xrefs: 007E9412

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f9bc8124cf7570a21f0e0c326b55a93790650b3890cd22a2b9003b23c30bb808
Instruction ID: 180ed4ac0e37042102b44ac71bda2d9b3609b42444c41c54e3e49a5d15091993
Opcode Fuzzy Hash: f9bc8124cf7570a21f0e0c326b55a93790650b3890cd22a2b9003b23c30bb808
Instruction Fuzzy Hash: EBE1D231505340DFDB24DF25C885A6AB7E4FF89354F04896CFA899B2A2DB38DD05CB92

Function 0078920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00789BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00789BB2

BeginPaint.USER32(?,?,?), ref: 00789241
GetWindowRect.USER32(?,?), ref: 007892A5
ScreenToClient.USER32(?,?), ref: 007892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007892D3
EndPaint.USER32(?,?,?,?,?), ref: 00789321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007C71EA

Part of subcall function 00789339: BeginPath.GDI32(00000000), ref: 00789357

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 7c29c1c05485163a5829553acb9e5498da4482fd506a64056e8ea0eababe3fd7
Instruction ID: 26f2bf16f0176c98dec9f9fab21599ea72da241907e367d46fea0976b288b7d4
Opcode Fuzzy Hash: 7c29c1c05485163a5829553acb9e5498da4482fd506a64056e8ea0eababe3fd7
Instruction Fuzzy Hash: B2419170144200EFDB21EF64DC88FBA7BA8FB96320F18026DFA65871E1C7759845DB61

Function 007E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007E080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 007E0847
EnterCriticalSection.KERNEL32(?), ref: 007E0863
LeaveCriticalSection.KERNEL32(?), ref: 007E08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007E08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 007E0921

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3cccac9c8011f2c0d39c177205dca2b91cf0721b0518682c96591f78abfbdb02
Instruction ID: 7e590aac10305219d3630acc93683b76694e877a2fb1cf9044acaf79c43b5f1e
Opcode Fuzzy Hash: 3cccac9c8011f2c0d39c177205dca2b91cf0721b0518682c96591f78abfbdb02
Instruction Fuzzy Hash: EB418B71900205EFDF14AF64DC85AAA77B8FF48310F1440A9ED009E297DB74EEA1DBA0

Function 008081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,007CF3AB,00000000,?,?,00000000,?,007C682C,00000004,00000000,00000000), ref: 0080824C
EnableWindow.USER32(?,00000000), ref: 00808272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008082D1
ShowWindow.USER32(?,00000004), ref: 008082E5
EnableWindow.USER32(?,00000001), ref: 0080830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0080832F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 926eacac7f446af00b429e2562f866ac3ac734dcc1995191caf41922a6255316
Instruction ID: 722aeadc51a873c9d0de98be93072591190751724db0010f2d532ee09b9407ca
Opcode Fuzzy Hash: 926eacac7f446af00b429e2562f866ac3ac734dcc1995191caf41922a6255316
Instruction Fuzzy Hash: AF417434601644EFDFA5CF25CC99BA47FE1FB4A714F194269E5488B2E2CB31A8C1CB51

Function 007D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 007D4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007D4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007D4CEA
_wcslen.LIBCMT ref: 007D4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007D4D10
_wcsstr.LIBVCRUNTIME ref: 007D4D1A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 78c57d540dd8a2330fb4b9fced04942c59367db40248f13601ef1e4968e61642
Instruction ID: f29dad7d0cfa0c5bb51720e9f3eb44a252e6f4bcb0bc8a86d19fc32c7b04d132
Opcode Fuzzy Hash: 78c57d540dd8a2330fb4b9fced04942c59367db40248f13601ef1e4968e61642
Instruction Fuzzy Hash: 69210732204200BBEB655B35EC49E7B7BADDF45750F10406EF909CA291EA79DC4187A0

Function 007E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00773AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00773A97,?,?,00772E7F,?,?,?,00000000), ref: 00773AC2

_wcslen.LIBCMT ref: 007E587B
CoInitialize.OLE32(00000000), ref: 007E5995
CoCreateInstance.OLE32(0080FCF8,00000000,00000001,0080FB68,?), ref: 007E59AE
CoUninitialize.OLE32 ref: 007E59CC

Strings

.lnk, xrefs: 007E5876, 007E58C1, 007E5985

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3e4c6aa7b922fa20a524643530bb4bead67332fb2a42208f108df3ffdb3f8f5c
Instruction ID: dd52c895922e58a8b57bc0a09d399958317205b287807adfb20a457b2a67c800
Opcode Fuzzy Hash: 3e4c6aa7b922fa20a524643530bb4bead67332fb2a42208f108df3ffdb3f8f5c
Instruction Fuzzy Hash: 4CD16371604605DFCB14DF25C484A2ABBE1FF89718F14895DF8899B362DB39EC05CB92

Function 007D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007D0FCA
Part of subcall function 007D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007D0FD6
Part of subcall function 007D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007D0FE5
Part of subcall function 007D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007D0FEC
Part of subcall function 007D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007D1002

GetLengthSid.ADVAPI32(?,00000000,007D1335), ref: 007D17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007D17BA
HeapAlloc.KERNEL32(00000000), ref: 007D17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007D17DA
GetProcessHeap.KERNEL32(00000000,00000000,007D1335), ref: 007D17EE
HeapFree.KERNEL32(00000000), ref: 007D17F5

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8e30fa4058292ff87beac26d8b2bf40f8164461ce78db7f87ef756ffd8219f2a
Instruction ID: 8216fee64d2321a73b8d7320e582243faff81785743346eb81110a1bd50b07a7
Opcode Fuzzy Hash: 8e30fa4058292ff87beac26d8b2bf40f8164461ce78db7f87ef756ffd8219f2a
Instruction Fuzzy Hash: 56119072601605FFDB109FA4CC49BAF7BB9FF45365F50821AF44197220D739A944CB60

Function 007D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007D14FF
OpenProcessToken.ADVAPI32(00000000), ref: 007D1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007D1515
CloseHandle.KERNEL32(00000004), ref: 007D1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007D154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 007D1563

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b4daa9596abf9807fc82cd77fecb66e03f03b4f8584a1e9a884743f1fd25d78d
Instruction ID: 35f1a4b960a736a6dce157d45c5ff8e32878091b448a54f6482036f9cf62ee4a
Opcode Fuzzy Hash: b4daa9596abf9807fc82cd77fecb66e03f03b4f8584a1e9a884743f1fd25d78d
Instruction Fuzzy Hash: FB112972500249BBDF118F98ED49BDE7BB9FF48744F048115FA05A21A0C3798E60DB60

Function 00793382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00793379,00792FE5), ref: 00793390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0079339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007933B7
SetLastError.KERNEL32(00000000,?,00793379,00792FE5), ref: 00793409

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a3e10b76793edced195b73ba5c34195ea1a451e476bed29504a168faaf81e202
Instruction ID: 7ddd15da9a505170ec9fd51667538ab2a94b2bef57ae35c8e2f58ca1ca3d59a4
Opcode Fuzzy Hash: a3e10b76793edced195b73ba5c34195ea1a451e476bed29504a168faaf81e202
Instruction Fuzzy Hash: FD01423320D711FFEF2827B4BC8AA273AA4FB453793200329F810942F0EF194E025244

Function 007A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007A5686,007B3CD6,?,00000000,?,007A5B6A,?,?,?,?,?,0079E6D1,?,00838A48), ref: 007A2D78
_free.LIBCMT ref: 007A2DAB
_free.LIBCMT ref: 007A2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0079E6D1,?,00838A48,00000010,00774F4A,?,?,00000000,007B3CD6), ref: 007A2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0079E6D1,?,00838A48,00000010,00774F4A,?,?,00000000,007B3CD6), ref: 007A2DEC
_abort.LIBCMT ref: 007A2DF2

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4c54807185fd91b9d966dda554eaba078010055b66e1ed5d38db4874c7aabdfe
Instruction ID: 96efebe1fc3f178a54dd85c4802ba8ccdd2e483d2e711e889ae23912be0ede1f
Opcode Fuzzy Hash: 4c54807185fd91b9d966dda554eaba078010055b66e1ed5d38db4874c7aabdfe
Instruction Fuzzy Hash: EEF04435745600BBC6622B3DBC0EB5F265ABFC37A5B254718F824A22E7EE2C98035561

Function 00808A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00789639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00789693
Part of subcall function 00789639: SelectObject.GDI32(?,00000000), ref: 007896A2
Part of subcall function 00789639: BeginPath.GDI32(?), ref: 007896B9
Part of subcall function 00789639: SelectObject.GDI32(?,00000000), ref: 007896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00808A4E
LineTo.GDI32(?,00000003,00000000), ref: 00808A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00808A70
LineTo.GDI32(?,00000000,00000003), ref: 00808A80
EndPath.GDI32(?), ref: 00808A90
StrokePath.GDI32(?), ref: 00808AA0

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 83d2f03fae16fdd0ebad1ff2a20d9e3bc20ddd3c8392b1aa5c17f5b3a207ec8d
Instruction ID: 63c2c519418fcacb00b687d9aa2e14896b173125ac9b0b5f0ff1e01f8f0b142e
Opcode Fuzzy Hash: 83d2f03fae16fdd0ebad1ff2a20d9e3bc20ddd3c8392b1aa5c17f5b3a207ec8d
Instruction Fuzzy Hash: 85110576000118FFEF129F90DC88EAA7F6CFB09390F048122FA199A1A1C7719D95DBA0

Function 007D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007D5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 007D5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007D5230
ReleaseDC.USER32(00000000,00000000), ref: 007D5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 007D524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 007D5261

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 00fc89b46abee76f393d73428452de7dff3b46b859ebbe2b7d54f28046e71dc0
Instruction ID: 9794c3cd7df37b18cafc1dc1580ef628998e73d8ab012fa4cf5d873191ad2f54
Opcode Fuzzy Hash: 00fc89b46abee76f393d73428452de7dff3b46b859ebbe2b7d54f28046e71dc0
Instruction Fuzzy Hash: 24014FB5A00718BBEB109FA69C49F5EBFB8FF58751F04416AFA04A7281D6709804CBA0

Function 00771BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00771BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00771BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00771C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00771C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00771C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00771C22

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 597c9caf08662a6c1664f95c8440f9792825b5caab155ce74429315b07285ef1
Instruction ID: a64ba736f5512c3ea5d4519b7c0216c2b7f1f0ec2945d27c873b399aa32ccac5
Opcode Fuzzy Hash: 597c9caf08662a6c1664f95c8440f9792825b5caab155ce74429315b07285ef1
Instruction Fuzzy Hash: E8016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 007DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007DEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007DEB46
GetWindowThreadProcessId.USER32(?,?), ref: 007DEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007DEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007DEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007DEB75

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c99d7120a758e0b7b167e11877910e5416fac8d3c5c78ee6ab666698e01abc56
Instruction ID: 3156514a7fe21a42e1926eaf197d323ef0637b174ce669e6bac8f5d993eec8b8
Opcode Fuzzy Hash: c99d7120a758e0b7b167e11877910e5416fac8d3c5c78ee6ab666698e01abc56
Instruction Fuzzy Hash: 8BF09AB2200118BBE7615F629C0EEEF3A7CFFCAB11F000259F611D1190D7A11A01CAB4

Function 007C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 007C7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 007C7469
GetWindowDC.USER32(?), ref: 007C7475
GetPixel.GDI32(00000000,?,?), ref: 007C7484
ReleaseDC.USER32(?,00000000), ref: 007C7496
GetSysColor.USER32(00000005), ref: 007C74B0

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1a75cd415889bf9367babf61af8797693a6b2cc98fc623436cacac9331e7cc13
Instruction ID: ad18c871a6db1eea7a341f0b84c1f94c406a05ab21954c30f9d44206fe58f093
Opcode Fuzzy Hash: 1a75cd415889bf9367babf61af8797693a6b2cc98fc623436cacac9331e7cc13
Instruction Fuzzy Hash: 7C014B32400615EFDBA55FA4DC09FAA7BB5FB04321F550268FE25A21A1CF351E51EF50

Function 007D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 007D187F
UnloadUserProfile.USERENV(?,?), ref: 007D188B
CloseHandle.KERNEL32(?), ref: 007D1894
CloseHandle.KERNEL32(?), ref: 007D189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007D18A5
HeapFree.KERNEL32(00000000), ref: 007D18AC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d64ff9619ef108e377b894d90866d2802148d8c13358eb3ba45b5488ba7ab183
Instruction ID: 4abff9b4fec3a941e952bdc5688e400b714a7a0c7ec15bb52a36c8c0f1217826
Opcode Fuzzy Hash: d64ff9619ef108e377b894d90866d2802148d8c13358eb3ba45b5488ba7ab183
Instruction Fuzzy Hash: A3E0E536104101BBDB415FA5ED0C90AFF39FF49B22B108320F225811B0CB329420DF90

Function 007F7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00790242: EnterCriticalSection.KERNEL32(0084070C,00841884,?,?,0078198B,00842518,?,?,?,007712F9,00000000), ref: 0079024D
Part of subcall function 00790242: LeaveCriticalSection.KERNEL32(0084070C,?,0078198B,00842518,?,?,?,007712F9,00000000), ref: 0079028A

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007900A3: __onexit.LIBCMT ref: 007900A9

__Init_thread_footer.LIBCMT ref: 007F7BFB

Part of subcall function 007901F8: EnterCriticalSection.KERNEL32(0084070C,?,?,00788747,00842514), ref: 00790202
Part of subcall function 007901F8: LeaveCriticalSection.KERNEL32(0084070C,?,00788747,00842514), ref: 00790235

Strings

+T|, xrefs: 007F7E2E
G, xrefs: 007F7C7F
5, xrefs: 007F7C78
Variable must be of type 'Object'., xrefs: 007F7C3A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T|$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3335344960
Opcode ID: cce82671c1c456383cf52bf5ace40c790bca88ebc9c04cdbfa6816bc2e332ea5
Instruction ID: 0ca0ddfc89f94571d24228b12794aa4b00f429adff306341417d7a92c0f77c4c
Opcode Fuzzy Hash: cce82671c1c456383cf52bf5ace40c790bca88ebc9c04cdbfa6816bc2e332ea5
Instruction Fuzzy Hash: 9C918970A04209EFCB08EF94D8959BDB7B5FF49300F508059FA169B392DB39AE41CB61

Function 007DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00777620: _wcslen.LIBCMT ref: 00777625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007DC6EE
_wcslen.LIBCMT ref: 007DC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007DC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007DC7CA

Strings

0, xrefs: 007DC6AF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 3d610bf9b309ad86c64cfd70096645b63f2fc2c8a9e3cfdbbe5fd032f26a3263
Instruction ID: c0f48a5671b43101aaa167c5036b4218f6e9b55d0108fb77d6d7c19aaf467993
Opcode Fuzzy Hash: 3d610bf9b309ad86c64cfd70096645b63f2fc2c8a9e3cfdbbe5fd032f26a3263
Instruction Fuzzy Hash: FD51C1716143029BDB169F28C889B6B7BF8EF45324F040A2AF995D33D0DB78D944DB52

Function 007FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 007FAEA3

Part of subcall function 00777620: _wcslen.LIBCMT ref: 00777625

GetProcessId.KERNEL32(00000000), ref: 007FAF38
CloseHandle.KERNEL32(00000000), ref: 007FAF67

Strings

@, xrefs: 007FAE72
<, xrefs: 007FAE6B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 50796369f7cfb0e43dee17b5d0653783a356b8fcd161cb1557e8cb3c8122f6b0
Instruction ID: 3a92902881ff0de680464def16262cc7b004e7cee5f4a78042154485759730f0
Opcode Fuzzy Hash: 50796369f7cfb0e43dee17b5d0653783a356b8fcd161cb1557e8cb3c8122f6b0
Instruction Fuzzy Hash: 00713B71A00619EFCF14DF54C485AAEBBF0BF08314F148499E91AAB352D778ED45CB91

Function 007D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007D7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007D723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007D724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007D72CF

Strings

DllGetClassObject, xrefs: 007D7242

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 6ee95752edcdee589797a6881c19e6ea5b075ed264f0b9ef7cbfccdde651330d
Instruction ID: 62b65cc0759d927a7d773f914decee79051afe814485f3cace2a1fc8acc6bc66
Opcode Fuzzy Hash: 6ee95752edcdee589797a6881c19e6ea5b075ed264f0b9ef7cbfccdde651330d
Instruction Fuzzy Hash: B0415071604204EFDB19CF54C884A9A7BB9FF44320F1480AEBD059F34AE7B9E945DBA0

Function 00803D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00803E35
IsMenu.USER32(?), ref: 00803E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00803E92
DrawMenuBar.USER32 ref: 00803EA5

Strings

0, xrefs: 00803D89

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 689cb3cc6c264c3a6a0905da2e9367bd17cee1acb188abffda1ef8e04ecce0d8
Instruction ID: b663ce8748a81838dcf64989ae9ba262d1905129151a767cd66a8452ddd8bac5
Opcode Fuzzy Hash: 689cb3cc6c264c3a6a0905da2e9367bd17cee1acb188abffda1ef8e04ecce0d8
Instruction Fuzzy Hash: 22413779A01209EFEF50DF50DC84AAABBB9FF49354F044229E905E7690D730AE55CF60

Function 007D1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007D3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007D1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007D1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 007D1EA9

Part of subcall function 00776B57: _wcslen.LIBCMT ref: 00776B6A

Strings

ListBox, xrefs: 007D1E25
ComboBox, xrefs: 007D1DF0

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 7b56092df242291765157688868dee248c13668fdd1fd5a69ad7ea6e245c33db
Instruction ID: eef8cc84ad2eb84c54a5ee5deef6efaf4ec8bc30c530cde91142dd7008209121
Opcode Fuzzy Hash: 7b56092df242291765157688868dee248c13668fdd1fd5a69ad7ea6e245c33db
Instruction Fuzzy Hash: CC212971A01104FEDF14AB64DC4ACFFB7B9EF56390B54411AF825A72E1DB3C4D068620

Function 007FC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007FC9F1
_wcslen.LIBCMT ref: 007FCA68
_wcslen.LIBCMT ref: 007FCA9E
_wcslen.LIBCMT ref: 007FCAF9
_wcslen.LIBCMT ref: 007FCB2F
_wcslen.LIBCMT ref: 007FCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 007FCA62, 007FCA67
HKLM, xrefs: 007FCA98, 007FCA9D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: cbef13ed76e84dfd629f50419a4968a18801a533ad8626df9d8745749d82d8c8
Instruction ID: eccad16ae6052e1893c2d1b719da78ac17ec60a2952b78660c1d4d3c7d7a3170
Opcode Fuzzy Hash: cbef13ed76e84dfd629f50419a4968a18801a533ad8626df9d8745749d82d8c8
Instruction Fuzzy Hash: D0313673A0056D8BCB22DF6C9A514BE3391ABA1790F05C029EA15AB344FA79ED44D3A0

Function 00802F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00802F8D
LoadLibraryW.KERNEL32(?), ref: 00802F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00802FA9
DestroyWindow.USER32(?), ref: 00802FB1

Strings

SysAnimate32, xrefs: 00802F68

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 210902bf59c907744e7f294da996048ffb87e59037252a82995af2639e35484c
Instruction ID: 49ef316d1c9ff45377b5b370afec50379dac8d225b30f5cfa8c49870ab6fd68b
Opcode Fuzzy Hash: 210902bf59c907744e7f294da996048ffb87e59037252a82995af2639e35484c
Instruction Fuzzy Hash: D021AE7220020AABEF615F64DC88EBB77BDFB593A4F104218F950D21D0DBB1DC519760

Function 00794D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00794D1E,007A28E9,?,00794CBE,007A28E9,008388B8,0000000C,00794E15,007A28E9,00000002), ref: 00794D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00794DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00794D1E,007A28E9,?,00794CBE,007A28E9,008388B8,0000000C,00794E15,007A28E9,00000002,00000000), ref: 00794DC3

Strings

CorExitProcess, xrefs: 00794D98
mscoree.dll, xrefs: 00794D86

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7e7619a3b48e5e040eacfb429b7953d1efb48a235e03f5cf63a25cf635e1504
Instruction ID: 3f18138b3d98369c65e0c432e76d903418205c6acf466a9af928a60c1871e2ae
Opcode Fuzzy Hash: a7e7619a3b48e5e040eacfb429b7953d1efb48a235e03f5cf63a25cf635e1504
Instruction Fuzzy Hash: 3EF04F34A41208BBDB519F90EC49BEDBBB9FF44752F0441A4F909A22A0DB795981CBD0

Function 00774E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00774EDD,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00774EAE
FreeLibrary.KERNEL32(00000000,?,?,00774EDD,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774EC0

Strings

kernel32.dll, xrefs: 00774E94
Wow64DisableWow64FsRedirection, xrefs: 00774EA8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 2ff981b08b2ea3d52181a78ccb08b2af6bfabac63e666112cd001008acc4434f
Instruction ID: 40b888d46b0f54fa3787699410116bb85744b4737c20e7b7572991c96a502222
Opcode Fuzzy Hash: 2ff981b08b2ea3d52181a78ccb08b2af6bfabac63e666112cd001008acc4434f
Instruction Fuzzy Hash: D8E08C36A026226BD7B21F25AC18A6B7658FF82BB2B054215FC08E2240DBA8CD0180E0

Function 00774E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007B3CDE,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00774E74
FreeLibrary.KERNEL32(00000000,?,?,007B3CDE,?,00841418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00774E87

Strings

kernel32.dll, xrefs: 00774E5B
Wow64RevertWow64FsRedirection, xrefs: 00774E6E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 9c16458add82b446c08ca0aa77c12f081f21f492eb7e531d32adec263db76760
Instruction ID: 1d52a11079913a58d968c3356d326e5ecccc5e0b29387946ee90e4e555f3d555
Opcode Fuzzy Hash: 9c16458add82b446c08ca0aa77c12f081f21f492eb7e531d32adec263db76760
Instruction Fuzzy Hash: 13D0123650266157DBA21F256C18D8B7A1CFF86BB13054725B919E2254CFA8CD0186D0

Function 007E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007E2C05
DeleteFileW.KERNEL32(?), ref: 007E2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007E2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007E2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007E2CC0

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 56dad6f4622cf2fa54724b58a10e27594bca93e7cc3cf97ca9aa05899eaa0762
Instruction ID: 6fe3edda001dd157bdb6c2ed2d470487a4c136b2a98578ddfcf5a8513eff55da
Opcode Fuzzy Hash: 56dad6f4622cf2fa54724b58a10e27594bca93e7cc3cf97ca9aa05899eaa0762
Instruction Fuzzy Hash: 78B17FB1901119EBDF21EFA5CC89EDEB77DEF48340F1040A6F609E6152EA389A45CF61

Function 007FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 007FA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007FA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007FA468
CloseHandle.KERNEL32(?), ref: 007FA63D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 198838c0feee181cbe9cb3ffa1dce3ab6700690b084eaa328f3c0a9be1e64189
Instruction ID: ae19be6610a02564364421f06f2ac2e68f96504009372b18b2fc694c20f19843
Opcode Fuzzy Hash: 198838c0feee181cbe9cb3ffa1dce3ab6700690b084eaa328f3c0a9be1e64189
Instruction Fuzzy Hash: 3FA18FB1604301AFD720DF24C886F2AB7E5AF88714F14885DFA5E9B392D774EC418B92

Function 007DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007DCF22,?), ref: 007DDDFD

Part of subcall function 007DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007DCF22,?), ref: 007DDE16

Part of subcall function 007DE199: GetFileAttributesW.KERNEL32(?,007DCF95), ref: 007DE19A

lstrcmpiW.KERNEL32(?,?), ref: 007DE473
MoveFileW.KERNEL32(?,?), ref: 007DE4AC
_wcslen.LIBCMT ref: 007DE5EB
_wcslen.LIBCMT ref: 007DE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 007DE650

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 6322836d3a50dc576ecdcb008192ef7802ddc0f691902f9e048c08ade05378a8
Instruction ID: 9377908495cf04251c7d5de0e2f04c03f2e2eb88c8affae56791ce24b8fdfb55
Opcode Fuzzy Hash: 6322836d3a50dc576ecdcb008192ef7802ddc0f691902f9e048c08ade05378a8
Instruction Fuzzy Hash: 6451A6B24087859BCB25EB94DC859DF73ECAF84340F00491FF689D7251EF38A5888766

Function 007FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007FB6AE,?,?), ref: 007FC9B5
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FC9F1
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FCA68
Part of subcall function 007FC998: _wcslen.LIBCMT ref: 007FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007FBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007FBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007FBB63
RegCloseKey.ADVAPI32(?,?), ref: 007FBBA6
RegCloseKey.ADVAPI32(00000000), ref: 007FBBB3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 92e767e98979006c10327195f5062dfbd4fbf58d8b1b33522e6ba53345f805f8
Instruction ID: 1183dd23a27f44f442aca19b203e2c05d21b4f505b8b012e86e1d5fcb157dbdc
Opcode Fuzzy Hash: 92e767e98979006c10327195f5062dfbd4fbf58d8b1b33522e6ba53345f805f8
Instruction Fuzzy Hash: C2619C71208205EFD714DF24C894E2ABBE5FF84348F14899CF5998B2A2CB35ED45CB92

Function 007D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007D8BCD
VariantClear.OLEAUT32 ref: 007D8C3E
VariantClear.OLEAUT32 ref: 007D8C9D
VariantClear.OLEAUT32(?), ref: 007D8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007D8D3B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 6c024914d536ea22b77a9476ccce67a7054d740714e14cfbc5c8efddb69c1208
Instruction ID: 3c81f42070c33a11dffe9c836f65603900f5068b8b52b2ac7ade25be92493aa7
Opcode Fuzzy Hash: 6c024914d536ea22b77a9476ccce67a7054d740714e14cfbc5c8efddb69c1208
Instruction Fuzzy Hash: 49516CB5A00619EFCB14CF68C884AAAB7F5FF8D310B15855AE919DB350E734E911CFA0

Function 007E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007E8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 007E8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007E8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007E8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007E8C5F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: fa4d130ba6480ba0764198a081ea39e60455f342a55c46c306d427be585278f2
Instruction ID: 43784e5fbb8c9c344317ebcf1729be3b1fe59e0de77f7e516e1f94d508499c92
Opcode Fuzzy Hash: fa4d130ba6480ba0764198a081ea39e60455f342a55c46c306d427be585278f2
Instruction Fuzzy Hash: 6C515835A00214DFCB05DF65C885A69BBF1FF49354F18C498E809AB362CB39ED51CBA1

Function 007F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 007F8F40
GetProcAddress.KERNEL32(00000000,?), ref: 007F8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 007F8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 007F9032
FreeLibrary.KERNEL32(00000000), ref: 007F9052

Part of subcall function 0078F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,007E1043,?,753CE610), ref: 0078F6E6
Part of subcall function 0078F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,007CFA64,00000000,00000000,?,?,007E1043,?,753CE610,?,007CFA64), ref: 0078F70D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 5d34905bde46d72be1f9d3007c22473fa67f6c5555cb77bdbbd9bda6250d7808
Instruction ID: d64c5551d48ff24fcafdf0adfd37585a2d9b55a84cc319d94f4c1520d2e595ee
Opcode Fuzzy Hash: 5d34905bde46d72be1f9d3007c22473fa67f6c5555cb77bdbbd9bda6250d7808
Instruction Fuzzy Hash: 6C515A34601209DFCB15DF58C4849ADBBF1FF49314F0881A8EA0AAB362DB35ED85CB91

Function 00806B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00806C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00806C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00806C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,007EAB79,00000000,00000000), ref: 00806C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00806CC7

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 7efe794f7d9ff5d7cd771c0599bd80367c14cde3d86e6e23b86f01131b5dc394
Instruction ID: 8317c44e55974c26a52c7bd2f908e9f1a8e8499844aeea3b9971cddb2c036193
Opcode Fuzzy Hash: 7efe794f7d9ff5d7cd771c0599bd80367c14cde3d86e6e23b86f01131b5dc394
Instruction Fuzzy Hash: B241D735A04104AFEBA4CF28CC58FA57FA5FB09364F140228F895E72E0E771AD71CA40

Function 007A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007A20C3
_free.LIBCMT ref: 007A20E3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7af6dfb027e1e5c1b718f2a60c21cc5621d0113a3fa1de673ee64b0e27db2c15
Instruction ID: 087a731b5b95f0bb436634307821a4dfa6d9c6f9e1b21896602173cff3a79bb1
Opcode Fuzzy Hash: 7af6dfb027e1e5c1b718f2a60c21cc5621d0113a3fa1de673ee64b0e27db2c15
Instruction Fuzzy Hash: A441E272A00204DFCB24DF7CC884A5EB7E5EFCA314F1546A9E515EB352DA35AD02CB81

Function 0078912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00789141
ScreenToClient.USER32(00000000,?), ref: 0078915E
GetAsyncKeyState.USER32(00000001), ref: 00789183
GetAsyncKeyState.USER32(00000002), ref: 0078919D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d54b8f9976e0dbe173dfdb39a5a80971e4e9695f01da10b73c48925bb9ccb833
Instruction ID: e27dbe62dcea86c90faed0b25ca1cd100f9f2b3ef674ac0a14cc91a52b398830
Opcode Fuzzy Hash: d54b8f9976e0dbe173dfdb39a5a80971e4e9695f01da10b73c48925bb9ccb833
Instruction Fuzzy Hash: 0F415F31A0850AFBDF19AF68C848BFEB775FB45324F248219E525A72D0CB785950CF51

Function 007E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007E38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 007E3922
TranslateMessage.USER32(?), ref: 007E394B
DispatchMessageW.USER32(?), ref: 007E3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E3966

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 9e61786be2f0897d81a10894c13d0692c18a7ed019c75deaca2522e799621f1a
Instruction ID: f57492fb8e17b5d75de84101130227e603297f0ebc10e20e6a2f164d54c46840
Opcode Fuzzy Hash: 9e61786be2f0897d81a10894c13d0692c18a7ed019c75deaca2522e799621f1a
Instruction Fuzzy Hash: 3C31A8745063C59EEF35CB36984DBB677A8BB1A308F040569E466C3191D3BCB684CB21

Function 007ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,007EC21E,00000000), ref: 007ECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 007ECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,007EC21E,00000000), ref: 007ECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,007EC21E,00000000), ref: 007ECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,007EC21E,00000000), ref: 007ECFF2

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4249b3f37a89526f0976537fe1045d83fb3c894c9867731af989a8b144182366
Instruction ID: 941ac1a97fb9d939daf41e190f06700f580180a33ed2e9f440175cd046d91981
Opcode Fuzzy Hash: 4249b3f37a89526f0976537fe1045d83fb3c894c9867731af989a8b144182366
Instruction Fuzzy Hash: 48315E76601245EFDB21DFA6C884AABBBF9FF18351B10442EF506D2140DB38EE42DB60

Function 007D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007D1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007D19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007D19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007D19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007D19E2

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4434686aaca3ee97f4d3da1b8bede35b64063bc416ea7249c35dd597ecde3aae
Instruction ID: ab2cc56cccd9ab05a5f5dcc8aaa117eb5d536f5ebdc614bdb7300cd72c080e74
Opcode Fuzzy Hash: 4434686aaca3ee97f4d3da1b8bede35b64063bc416ea7249c35dd597ecde3aae
Instruction Fuzzy Hash: 3C31AD71A00259EFCB10CFA8C9A9ADE3BB5FB04315F10432AF961A72D1C774A944CB90

Function 00805706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00805745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0080579D
_wcslen.LIBCMT ref: 008057AF
_wcslen.LIBCMT ref: 008057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00805816

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 48864edf65210128b16e075fc768571b49799f6ca2027bba1ea925dd9e95e168
Instruction ID: 0e50bc16f76ab970cb655c912f118d02a810fc4b31d4578dc4a5496ab83be87b
Opcode Fuzzy Hash: 48864edf65210128b16e075fc768571b49799f6ca2027bba1ea925dd9e95e168
Instruction Fuzzy Hash: 8121A575905618EADFA09F60DC84AEF7BBCFF04324F108216E929EA1C0D7709985CF60

Function 007F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007F0951
GetForegroundWindow.USER32 ref: 007F0968
GetDC.USER32(00000000), ref: 007F09A4
GetPixel.GDI32(00000000,?,00000003), ref: 007F09B0
ReleaseDC.USER32(00000000,00000003), ref: 007F09E8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e1c098e59b088ceeb782d41802a78e696c331e9dc46c1b9b23995234f567fe62
Instruction ID: 4eb99b446bcb7f7e4adefc276bb9a5eaa21842787f6fdfaf3553dbdef9cd5148
Opcode Fuzzy Hash: e1c098e59b088ceeb782d41802a78e696c331e9dc46c1b9b23995234f567fe62
Instruction Fuzzy Hash: 4E216F36600204EFD754EF65C889AAEBBE5FF48744F04856CF95A97362DB74AC04CB90

Function 007ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007ACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007ACDE9

Part of subcall function 007A3820: RtlAllocateHeap.NTDLL(00000000,?,00841444,?,0078FDF5,?,?,0077A976,00000010,00841440,007713FC,?,007713C6,?,00771129), ref: 007A3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007ACE0F
_free.LIBCMT ref: 007ACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007ACE31

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b883e5843d957beb00956f29ec07c2c564ebd10836ca6ca4466c57d0cb1cd594
Instruction ID: 5bbb68770c762e2529442943ed1d2fe288886a00b4cbfaab8a1d07712ed32b4e
Opcode Fuzzy Hash: b883e5843d957beb00956f29ec07c2c564ebd10836ca6ca4466c57d0cb1cd594
Instruction Fuzzy Hash: DF0184726052157F67221BBA6C8CD7B796DEEC7BA1315032DF905D7201EA698D0281F0

Function 00789639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00789693
SelectObject.GDI32(?,00000000), ref: 007896A2
BeginPath.GDI32(?), ref: 007896B9
SelectObject.GDI32(?,00000000), ref: 007896E2

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4fdb220d318d866d079418bcfa0cc879064bd4d95a76d67a34d4f4982282261b
Instruction ID: 94d7aa81b24c0d4797b169ce4b56f02b52f857038fae9f9716f168230f96ccd5
Opcode Fuzzy Hash: 4fdb220d318d866d079418bcfa0cc879064bd4d95a76d67a34d4f4982282261b
Instruction Fuzzy Hash: 11215E34942305EFDF11AF64EC18BB97FA8BB52365F54421AF520A61B0E3789892CF94

Function 007D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007D5726
_memcmp.LIBVCRUNTIME ref: 007D5744
_memcmp.LIBVCRUNTIME ref: 007D5757
_memcmp.LIBVCRUNTIME ref: 007D576F
_memcmp.LIBVCRUNTIME ref: 007D5787

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d7a8f6cd3159dd4140a7dcc17da5a8580c21dd718ef7c83d0703803843f78968
Instruction ID: 0a426d7ef4d600d51cf6ecbceed8973d491474f4b5b8ecebc6c0d1c7e3796e84
Opcode Fuzzy Hash: d7a8f6cd3159dd4140a7dcc17da5a8580c21dd718ef7c83d0703803843f78968
Instruction Fuzzy Hash: 9E019661741615FBE61855109D46EBA737CEB213B4B604022FE149A781F66DED2086A0

Function 007A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0079F2DE,007A3863,00841444,?,0078FDF5,?,?,0077A976,00000010,00841440,007713FC,?,007713C6), ref: 007A2DFD
_free.LIBCMT ref: 007A2E32
_free.LIBCMT ref: 007A2E59
SetLastError.KERNEL32(00000000,00771129), ref: 007A2E66
SetLastError.KERNEL32(00000000,00771129), ref: 007A2E6F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9943666229bda152216141da680649db98ac273ac8851679ca4c3b64537fc924
Instruction ID: 3d9e6732031b9f38aa06c87d0d65b08e61cdd6819ee6984e1b5314137bdef32b
Opcode Fuzzy Hash: 9943666229bda152216141da680649db98ac273ac8851679ca4c3b64537fc924
Instruction Fuzzy Hash: C601F43220D600ABC6122B3D6C4EE2B2659BBD37B5B210728F425E22D3EB7CCC434521

Function 007D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,007CFF41,80070057,?,?,?,007D035E), ref: 007D002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007CFF41,80070057,?,?), ref: 007D0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007CFF41,80070057,?,?), ref: 007D0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007CFF41,80070057,?), ref: 007D0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007CFF41,80070057,?,?), ref: 007D0070

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 19fbb0ab669f3fdc800e7f0796e91f3f6839770747ae30fffac295c9dad81d46
Instruction ID: 3249d05b095942cc10ee57f08cee91ba4c5fccdc7014119ac8f41d66f53f480f
Opcode Fuzzy Hash: 19fbb0ab669f3fdc800e7f0796e91f3f6839770747ae30fffac295c9dad81d46
Instruction Fuzzy Hash: 0501AD76600204BFDB504F68DC08BAA7AFDFF887A2F149225F905D2310E779DD409BA0

Function 007DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 007DE997
QueryPerformanceFrequency.KERNEL32(?), ref: 007DE9A5
Sleep.KERNEL32(00000000), ref: 007DE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 007DE9B7
Sleep.KERNEL32 ref: 007DE9F3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7f2b2205174d185bba5888747abda87285012c183c026e8bd30c069c7b529172
Instruction ID: d2afc8331a2db4ca34c157ed580317439454614bf4a01d9d441dd66d34f3d1b6
Opcode Fuzzy Hash: 7f2b2205174d185bba5888747abda87285012c183c026e8bd30c069c7b529172
Instruction Fuzzy Hash: EB018C31D0262DDBCF41AFE4DC69AEDBB78FF08300F000656E502B6241DB38A551CBA2

Function 007D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007D1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,007D0B9B,?,?,?), ref: 007D1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007D0B9B,?,?,?), ref: 007D112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007D0B9B,?,?,?), ref: 007D1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007D114D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3b641a0bfe9cd87b085f77ce31bf2fd926614625304510d49654168c659b0117
Instruction ID: 38c74eef03aa99571ffa5c7d95c78a88b2ca711be7cf14b243bbd205fd19e6b5
Opcode Fuzzy Hash: 3b641a0bfe9cd87b085f77ce31bf2fd926614625304510d49654168c659b0117
Instruction Fuzzy Hash: 2B013C75200209BFEB514FA9DC59E6A3F7EFF893A0B614519FA45D7360DB31DC009A60

Function 007D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007D0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007D0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007D0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007D0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007D1002

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a24f92e4a45c2bc30e323423a9f00a8511a21e3d940f68b54a7296afa1aa1c46
Instruction ID: 5bd5f9dffeb603b94ec853043cc70a03ae6c02a915903fa906f40cdab6358619
Opcode Fuzzy Hash: a24f92e4a45c2bc30e323423a9f00a8511a21e3d940f68b54a7296afa1aa1c46
Instruction Fuzzy Hash: 44F04935200301BBDB215FA4AC49F563BBDFF89762F514515FA45D62A1CA74DC408A60

Function 007D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007D102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007D1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007D1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007D104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007D1062

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f51f1b8727a4d7c035d0922e36f4d0350d427937439dcf5e172280f8ec7bdf3a
Instruction ID: 6e6f700b39effe1b44ac059c07e8973f5c372ffbf35aa545df4baa02f9155af6
Opcode Fuzzy Hash: f51f1b8727a4d7c035d0922e36f4d0350d427937439dcf5e172280f8ec7bdf3a
Instruction Fuzzy Hash: D1F0443A200301BBDB226FA4EC49F5A3BBEFF8A761F510515FA45C62A0CA74D8408A60

Function 007E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,007E017D,?,007E32FC,?,00000001,007B2592,?), ref: 007E0324
CloseHandle.KERNEL32(?,?,?,?,007E017D,?,007E32FC,?,00000001,007B2592,?), ref: 007E0331
CloseHandle.KERNEL32(?,?,?,?,007E017D,?,007E32FC,?,00000001,007B2592,?), ref: 007E033E
CloseHandle.KERNEL32(?,?,?,?,007E017D,?,007E32FC,?,00000001,007B2592,?), ref: 007E034B
CloseHandle.KERNEL32(?,?,?,?,007E017D,?,007E32FC,?,00000001,007B2592,?), ref: 007E0358
CloseHandle.KERNEL32(?,?,?,?,007E017D,?,007E32FC,?,00000001,007B2592,?), ref: 007E0365

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cbe58d127241ca86b34a3736e1798663ee617fd43665f320920025b24dc4aa4e
Instruction ID: 32c1e21aaef8f650c309f10ac36717999e135858d40e32789b7986eb3d09126b
Opcode Fuzzy Hash: cbe58d127241ca86b34a3736e1798663ee617fd43665f320920025b24dc4aa4e
Instruction Fuzzy Hash: 9401AE72802B559FCB30AF66D880812FBF9BF643153158A3FD19652931C3B5A998CF80

Function 007AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007AD752

Part of subcall function 007A29C8: HeapFree.KERNEL32(00000000,00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000), ref: 007A29DE
Part of subcall function 007A29C8: GetLastError.KERNEL32(00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000,00000000), ref: 007A29F0

_free.LIBCMT ref: 007AD764
_free.LIBCMT ref: 007AD776
_free.LIBCMT ref: 007AD788
_free.LIBCMT ref: 007AD79A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a483ecdc4ee9bf8141c863139ff85c74ccb73295f3120bb2ef06c0cb0cc789ac
Instruction ID: c0a2b5f5b2de809d1b9c21b6cb5455bfaca27207ff0037d034eeee9447499455
Opcode Fuzzy Hash: a483ecdc4ee9bf8141c863139ff85c74ccb73295f3120bb2ef06c0cb0cc789ac
Instruction Fuzzy Hash: E1F0FF32544208AF8665EB68F9C5C2B7BDDBBC6710B950E05F449F7922C728FC808B65

Function 007D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 007D5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 007D5C6F
MessageBeep.USER32(00000000), ref: 007D5C87
KillTimer.USER32(?,0000040A), ref: 007D5CA3
EndDialog.USER32(?,00000001), ref: 007D5CBD

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5bd36fa7d8a30cdc2a85de7fd1f856e91ace2555b94e03fff6d99afec10ce431
Instruction ID: d800aef2a1353da5e87c2709b48745a8d904140523dd843432b6488c848f4b69
Opcode Fuzzy Hash: 5bd36fa7d8a30cdc2a85de7fd1f856e91ace2555b94e03fff6d99afec10ce431
Instruction Fuzzy Hash: E001D630500B04AFEB305F10DD4EFA67BB8BB10B41F04165EA597A11E1DBF5AD848AA0

Function 007A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007A22BE

Part of subcall function 007A29C8: HeapFree.KERNEL32(00000000,00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000), ref: 007A29DE
Part of subcall function 007A29C8: GetLastError.KERNEL32(00000000,?,007AD7D1,00000000,00000000,00000000,00000000,?,007AD7F8,00000000,00000007,00000000,?,007ADBF5,00000000,00000000), ref: 007A29F0

_free.LIBCMT ref: 007A22D0
_free.LIBCMT ref: 007A22E3
_free.LIBCMT ref: 007A22F4
_free.LIBCMT ref: 007A2305

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27622e7d41b7423a4c96e545da3248cb508fd18fad1c56581e37edc59267895f
Instruction ID: 86bbd0ba95afcdc38507b468775d8ea838fa9b0049df72206a27f855bc058881
Opcode Fuzzy Hash: 27622e7d41b7423a4c96e545da3248cb508fd18fad1c56581e37edc59267895f
Instruction Fuzzy Hash: 81F05478400220CF8B52EF68BC0580A3B64F79BB51701071AF514E22F6CB3C1552EFE5

Function 007895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007895D4
StrokeAndFillPath.GDI32(?,?,007C71F7,00000000,?,?,?), ref: 007895F0
SelectObject.GDI32(?,00000000), ref: 00789603
DeleteObject.GDI32 ref: 00789616
StrokePath.GDI32(?), ref: 00789631

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d673a2649e0728f83cb29502c2718cef8285bd5eb098870f732684d8d4658240
Instruction ID: 1422cd10c348e4a317eeb68d0315d6731017307ea9c1f011dff7358becc155f8
Opcode Fuzzy Hash: d673a2649e0728f83cb29502c2718cef8285bd5eb098870f732684d8d4658240
Instruction Fuzzy Hash: 00F03739046608EBDB226F69ED1CBB43F61BB02322F488314F529550F0D73489A1DF20

Function 007A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007A10F9
__freea.LIBCMT ref: 007A1117

Part of subcall function 007A1537: _free.LIBCMT ref: 007A154F

Strings

am/pm, xrefs: 007A117A
a/p, xrefs: 007A11DE

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3f352d53110a1cd50b202d4e30cd53b4f7e16d8a42e4084b624d88fc76321086
Instruction ID: f0cf1be93f14e190d97668f6d62b9c117390c2b73266bad8eb17d0f18805b224
Opcode Fuzzy Hash: 3f352d53110a1cd50b202d4e30cd53b4f7e16d8a42e4084b624d88fc76321086
Instruction Fuzzy Hash: DDD1E535A00206DAEF289F68C855BFAB7B5FF87310FA84359E501AB650D37D9D80CB91

Function 007A5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOw, xrefs: 007A5BA8, 007A5C6C

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID: JOw
API String ID: 0-1003251281
Opcode ID: cb6c8b6347abe44b53fccb28e69b7513c3124af8ebf7bb48d5338d6512730b38
Instruction ID: 2197b3d37ce754d676e0f2f95af56d543cc432ab668f694bf0ec9f006d0fcbef
Opcode Fuzzy Hash: cb6c8b6347abe44b53fccb28e69b7513c3124af8ebf7bb48d5338d6512730b38
Instruction Fuzzy Hash: 685191B5D0060AEFCF119FA4D849FAE7BB8AF86320F14025AF505A7292D63D9901CB71

Function 007A8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 007A8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 007A8B7A
__dosmaperr.LIBCMT ref: 007A8B81

Strings

.y, xrefs: 007A8A63

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .y
API String ID: 2434981716-2155845462
Opcode ID: c2200cbd0bd742554cd8f6e25a83331a8447c523ff747c59c82d9512fe5f263c
Instruction ID: 2f69360c8797373c2d25d5b174fdfe9018e25f8c9424ab9cb781803ee4abaa41
Opcode Fuzzy Hash: c2200cbd0bd742554cd8f6e25a83331a8447c523ff747c59c82d9512fe5f263c
Instruction Fuzzy Hash: 6F418EF0604145AFCB649F64C884A7E7FA5EBC7300B2883A9F89587242DE39CC02C7A1

Function 007D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007D21D0,?,?,00000034,00000800,?,00000034), ref: 007DB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007D2760

Part of subcall function 007DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 007DB3F8

Part of subcall function 007DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 007DB355
Part of subcall function 007DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007D2194,00000034,?,?,00001004,00000000,00000000), ref: 007DB365
Part of subcall function 007DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007D2194,00000034,?,?,00001004,00000000,00000000), ref: 007DB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007D27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007D281A

Strings

@, xrefs: 007D2832

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 0e6b5e6dfa26354228b79164b481d769afd6c1e9f4d3373152c90cbe37fa98f0
Instruction ID: 200013a4a2f6cb827483f78adb66f2b079797bbb7c9d5c39fb7ece82850c796e
Opcode Fuzzy Hash: 0e6b5e6dfa26354228b79164b481d769afd6c1e9f4d3373152c90cbe37fa98f0
Instruction Fuzzy Hash: B3413C72900218EFDB10DFA4CD45AEEBBB8EF19300F00405AFA55B7281DB756E46DBA0

Function 007A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 007A1769
_free.LIBCMT ref: 007A1834
_free.LIBCMT ref: 007A183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 007A1760, 007A1767, 007A1796, 007A17CE

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: bace9fbf73b93a7e852bf8734eb2f27f148b635018f7554afd11aff9ff71419f
Instruction ID: 418c70beaf58d6a868683748a9614f48e6786b37f8f648d3f45a713ae06b0b05
Opcode Fuzzy Hash: bace9fbf73b93a7e852bf8734eb2f27f148b635018f7554afd11aff9ff71419f
Instruction Fuzzy Hash: CC319375A00218EFEB21DF99D889D9EBBFCEBC6320F504266F504D7211D6B88E40CB90

Function 007DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007DC306
DeleteMenu.USER32(?,00000007,00000000), ref: 007DC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00841990,010A68D0), ref: 007DC395

Strings

0, xrefs: 007DC2DF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1e78d72c106fe2a3b7c0c63bbb9b8f85de808a9b255c6389b7731be589a2bd84
Instruction ID: 86f619cf4528184820e1ebe60e3c7cc4d9bdf9f2b5bce75795c62f7ad9cc56a2
Opcode Fuzzy Hash: 1e78d72c106fe2a3b7c0c63bbb9b8f85de808a9b255c6389b7731be589a2bd84
Instruction Fuzzy Hash: 68418E31204342DFDB25DF28D885B1ABBA4AF85310F10861EF9A5973D1D738A904CB62

Function 00804416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0080CC08,00000000,?,?,?,?), ref: 008044AA
GetWindowLongW.USER32 ref: 008044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008044D7

Strings

SysTreeView32, xrefs: 0080447C

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: fd68822deb9dc0564f04f161bc605a4f4e4abc34974b63b9267b82947ff1f708
Instruction ID: ecadae44e1b66756fc370c5684ccd17f2364bde0a395d17a3d0bc2def5e7f8e4
Opcode Fuzzy Hash: fd68822deb9dc0564f04f161bc605a4f4e4abc34974b63b9267b82947ff1f708
Instruction Fuzzy Hash: 72319C72240605ABDF609F38DC45BEA7BA9FB08324F205315FA79E22E0D774EC509750

Function 007D6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 007D6EED
VariantCopyInd.OLEAUT32(?,?), ref: 007D6F08
VariantClear.OLEAUT32(?), ref: 007D6F12

Strings

*j}, xrefs: 007D6E8B, 007D6E90, 007D6EF8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j}
API String ID: 2173805711-2067633288
Opcode ID: cf15679027912b74ee4ee242db9c171de19661ed0cb63a37b45d8dc7b2cc9afc
Instruction ID: 848710b8303ae7a5674785ae2fb1e4701d126311edf848b6893df1b757107c80
Opcode Fuzzy Hash: cf15679027912b74ee4ee242db9c171de19661ed0cb63a37b45d8dc7b2cc9afc
Instruction Fuzzy Hash: 6831E2B1604A05DFCF04AFA4E8959BE3776FF85B04B1044AAF8029B3A1C7389D11CBD0

Function 007F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,007F3077,?,?), ref: 007F3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007F307A
_wcslen.LIBCMT ref: 007F309B
htons.WSOCK32(00000000,?,?,00000000), ref: 007F3106

Strings

255.255.255.255, xrefs: 007F3095, 007F309A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 36b076f095f84f93701cb02248fb7b05082cd5459b35c4526bd52b100eb41702
Instruction ID: b3652a3fcb1cbc183b73ab3ca6a9dd4d0dc43254f3e4a36c125d00be6fda7011
Opcode Fuzzy Hash: 36b076f095f84f93701cb02248fb7b05082cd5459b35c4526bd52b100eb41702
Instruction Fuzzy Hash: 06310435200209DFCB10CF28C485EBA77E1EF14318F24C15AEA158B392DB3AEE45C761

Function 00803EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00803F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00803F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00803F78

Strings

SysMonthCal32, xrefs: 00803F0B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fe9faa6971e667075a43f654bef902d07aa60fb47a9ccf25710b40c1ad7a39c1
Instruction ID: 324b1707abf3cbfea6fea625a6dce2e5a4f4eb623d9d6e6e66074f387e749d5f
Opcode Fuzzy Hash: fe9faa6971e667075a43f654bef902d07aa60fb47a9ccf25710b40c1ad7a39c1
Instruction Fuzzy Hash: 0E219C32600219BBDF219F54DC46FEA3B79FF48714F110214FA19AB1D0DAB5A991CBA0

Function 00804653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00804705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00804713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0080471A

Strings

msctls_updown32, xrefs: 00804684

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a6d7f16ae5afbd830b0af0fe09c0d139a1a79caf2582739aeab63b73a78ce678
Instruction ID: 7e3a9e06d1f7a0a364d4ae67dd05fa7adcc25af0c119885b7f49977d58e6e0da
Opcode Fuzzy Hash: a6d7f16ae5afbd830b0af0fe09c0d139a1a79caf2582739aeab63b73a78ce678
Instruction Fuzzy Hash: 9C215EF5600208AFEB50DF68DC95DA73BADFB5A394B040459FA11DB2A1DB31EC51CA60

Function 007D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007D961D

Strings

#OnAutoItStartRegister, xrefs: 007D95F3
#requireadmin, xrefs: 007D95D9
#notrayicon, xrefs: 007D95B7

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 200a0597f77ee0ee72a422b0f3c794b0be888ab508776a6b82292821aff6ecd5
Instruction ID: 04c48fa2fbad06fc682b9634483d89c54863e6384238e1664177da982221e6f0
Opcode Fuzzy Hash: 200a0597f77ee0ee72a422b0f3c794b0be888ab508776a6b82292821aff6ecd5
Instruction Fuzzy Hash: 3B212632204511A6C731BA24AC16FA773B8AF51310F148027FB5A97282EB5DED51C395

Function 008037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00803840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00803850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00803876

Strings

Listbox, xrefs: 0080380F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 2aa4f12bd5753fae0daf63eda6a47d045d1911e6d10013f9db221b986b784de8
Instruction ID: f673254fb3fb6e1104bd7dd10ee5513b159e2538cfaed964673d99badbb4dad2
Opcode Fuzzy Hash: 2aa4f12bd5753fae0daf63eda6a47d045d1911e6d10013f9db221b986b784de8
Instruction Fuzzy Hash: 27218E72610218BBEF619F54CC85EAB376EFF89754F108124F9549B1D0CA71DC5287A0

Function 007E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007E4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007E4A5C
SetErrorMode.KERNEL32(00000000,?,?,0080CC08), ref: 007E4AD0

Strings

%lu, xrefs: 007E4A6F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 84815949b249ad822608d144ffdc42783cfd2a5a2e8d3df802dc1ba350c016d2
Instruction ID: dba0cda38dd96052e69cad7e81242a09cefd5085d1eb047348a0a991a78c4b11
Opcode Fuzzy Hash: 84815949b249ad822608d144ffdc42783cfd2a5a2e8d3df802dc1ba350c016d2
Instruction Fuzzy Hash: BF313E75A00109EFDB10DF64C885EAABBF8EF08318F1480A5E909DB352D775EE45CB61

Function 008041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0080424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00804264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00804271

Strings

msctls_trackbar32, xrefs: 00804226

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5a316ccd7cd0f1c59ce88369033498a6771d80b3ed74d0b48a08a4862ac98136
Instruction ID: c59b42e15a415e810b3f9ebc0f5569545fcc59493ec17101cb0c7827e9ba9ce0
Opcode Fuzzy Hash: 5a316ccd7cd0f1c59ce88369033498a6771d80b3ed74d0b48a08a4862ac98136
Instruction Fuzzy Hash: 6A11A371380248BEEF605F69CC06FAB3BACFF95B54F110528FA55E60D0D671D8619B50

Function 007D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00776B57: _wcslen.LIBCMT ref: 00776B6A

Part of subcall function 007D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007D2DC5
Part of subcall function 007D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 007D2DD6
Part of subcall function 007D2DA7: GetCurrentThreadId.KERNEL32 ref: 007D2DDD
Part of subcall function 007D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007D2DE4

GetFocus.USER32 ref: 007D2F78

Part of subcall function 007D2DEE: GetParent.USER32(00000000), ref: 007D2DF9

GetClassNameW.USER32(?,?,00000100), ref: 007D2FC3
EnumChildWindows.USER32(?,007D303B), ref: 007D2FEB

Strings

%s%d, xrefs: 007D2FFF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 7cf04cbbb8de9a0e245cc4df8c8b9dfe45b13c91ca65fd5deb3928637197ec9b
Instruction ID: 6473c2ac3a812a5f69982c0ef89ca5327dedfa5aec417f6b66c743214117fe29
Opcode Fuzzy Hash: 7cf04cbbb8de9a0e245cc4df8c8b9dfe45b13c91ca65fd5deb3928637197ec9b
Instruction Fuzzy Hash: 1111E7B1300205ABCF547F708C89EED377AAFA4304F048076F9199B393DE395A0A8B60

Function 00805882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008058EE
DrawMenuBar.USER32(?), ref: 008058FD

Strings

0, xrefs: 0080588F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 3d7db58b7d217da41be90368b2c3c45b879ee359246ed12289f8d2ee57200d03
Instruction ID: dce3182987a3c75eb38f77018d9fa01c68bc0a0ac598287aa0d8178d93bde1b7
Opcode Fuzzy Hash: 3d7db58b7d217da41be90368b2c3c45b879ee359246ed12289f8d2ee57200d03
Instruction Fuzzy Hash: 0E016935500218EFDBA19F11EC48BAFBBB4FB45361F1080A9E849D61A1DB308A94EF31

Function 007CD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 007CD3BF
FreeLibrary.KERNEL32 ref: 007CD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 007CD3B9
X64, xrefs: 007CD2A8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 46aa0cc3841b48c50d61d5b1338fcb270a5d55cfe12d73ee63b9dee36d9d4e08
Instruction ID: 7be1d7a15146643ac97978f4d0a8ba822cdaade851a42881638bd14e1e6947ce
Opcode Fuzzy Hash: 46aa0cc3841b48c50d61d5b1338fcb270a5d55cfe12d73ee63b9dee36d9d4e08
Instruction Fuzzy Hash: 2CF05572806A219BD7B12B204C24F2A7710FF22B20F69437CE002E21C0E72CCC4483C2

Function 007D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a26b88804aa211f9131dc5a6e7b0d949350f547b2ab757de119e6616940252f
Instruction ID: 61faf3e71c389e056894841d1e97a38d02db9b000f37ed248b13321e52b9f1e8
Opcode Fuzzy Hash: 0a26b88804aa211f9131dc5a6e7b0d949350f547b2ab757de119e6616940252f
Instruction Fuzzy Hash: C9C14675A0020AEFCB14CFA8C898BAEB7B5FF48314F209599E505EB251D735EE41DB90

Function 007F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007F3459
CoUninitialize.OLE32 ref: 007F3463
VariantInit.OLEAUT32(?), ref: 007F346E
VariantClear.OLEAUT32(?), ref: 007F371B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 4db3ea8acf5b4115f3f6bd876793dae93cf19eec4c3730a37b30877a18f0e30b
Instruction ID: 19d8fbc110c47408343986941de1749f278077ab6832f73d110947afc9488c11
Opcode Fuzzy Hash: 4db3ea8acf5b4115f3f6bd876793dae93cf19eec4c3730a37b30877a18f0e30b
Instruction Fuzzy Hash: 7BA13B75604204DFCB04EF24C489A2AB7E5FF88754F148959F98A9B362DB38EE01CB91

Function 007D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0080FC08,?), ref: 007D05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0080FC08,?), ref: 007D0608
CLSIDFromProgID.OLE32(?,?,00000000,0080CC40,000000FF,?,00000000,00000800,00000000,?,0080FC08,?), ref: 007D062D
_memcmp.LIBVCRUNTIME ref: 007D064E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7a33facda952a3c25e9510e7e229cde3f9646bbedd88d70212b23c92c2d03573
Instruction ID: 5a67900edb2efc4000579d7750ff8ccaf2b950ee6e448423256dcedff53a710c
Opcode Fuzzy Hash: 7a33facda952a3c25e9510e7e229cde3f9646bbedd88d70212b23c92c2d03573
Instruction Fuzzy Hash: EF811B71A00109EFCB04DF94C988EEEB7B9FF89315F204559E506AB250DB75AE06CBA0

Function 007B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007B14C0

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 186428d6a2ab3b4d14cad0e14c4a20a623a74fe069604f6f70725b01109a0623
Instruction ID: 09aae592ad197d860381111067ca6fb00e8a38cbb07c91f8e1e618f471b2b8c0
Opcode Fuzzy Hash: 186428d6a2ab3b4d14cad0e14c4a20a623a74fe069604f6f70725b01109a0623
Instruction Fuzzy Hash: C2412B31600140EBDF216BBD9C5ABEE3AA4FF86370FE44325F419D7192E63C49519762

Function 00806278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008062E2
ScreenToClient.USER32(?,?), ref: 00806315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00806382

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8b5b519e79f84c468d689108c9bda59c165dd87774973bad790dc09b07a98dd2
Instruction ID: 1e329c5dcd27a396f108b4f7e94b2c79c17600b49e9b31eab064150fe4f38319
Opcode Fuzzy Hash: 8b5b519e79f84c468d689108c9bda59c165dd87774973bad790dc09b07a98dd2
Instruction Fuzzy Hash: 76511974A00209EFDF60DF68D884AAE7BB5FB45360F118259F815D7290E731ADA1CB90

Function 007F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007F1AFD
WSAGetLastError.WSOCK32 ref: 007F1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007F1B8A
WSAGetLastError.WSOCK32 ref: 007F1B94

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 0b54ed27e286b39dd2fa0242d0344cfb47b0ec9ee94e83388a4dd7edde00f5d7
Instruction ID: 7b1dce417f0eea99406208e30cdd90de697d2ea2c308a0af7647a74a54327d8c
Opcode Fuzzy Hash: 0b54ed27e286b39dd2fa0242d0344cfb47b0ec9ee94e83388a4dd7edde00f5d7
Instruction Fuzzy Hash: CC41AD74640200EFEB20AF24C88AF2977A5AB49718F54C458FA1A9F393D67ADD41CB90

Function 007AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ba284ed1200281641c4abd155b239b76932701893ca4dd453563515fea1440
Instruction ID: 004032caa0e4054632196ab684da7ab349d871ca4012cf67085c4f7a15d1d5fd
Opcode Fuzzy Hash: b8ba284ed1200281641c4abd155b239b76932701893ca4dd453563515fea1440
Instruction Fuzzy Hash: 6641F372A00344FFD7249F78CC45BAABBA9EBC9710F10462AF541DB283D779A9018780

Function 007E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007E5783
GetLastError.KERNEL32(?,00000000), ref: 007E57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007E57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007E57FA

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8c89c63cd8677fd1b15a3e9268ecd40cb65ed86114a9680c54209df90b8cc1d2
Instruction ID: 06aad4a7ebc22b7403c07dc221c9c3919cb591fda24219af0d5bd0c05e5d64ed
Opcode Fuzzy Hash: 8c89c63cd8677fd1b15a3e9268ecd40cb65ed86114a9680c54209df90b8cc1d2
Instruction Fuzzy Hash: 81412D35600610DFCF15EF15C548A1DBBE2EF89764B19C888E84A5B362CB38FD10CB91

Function 007AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00796D71,00000000,00000000,007982D9,?,007982D9,?,00000001,00796D71,?,00000001,007982D9,007982D9), ref: 007AD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007AD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 007AD9AB
__freea.LIBCMT ref: 007AD9B4

Part of subcall function 007A3820: RtlAllocateHeap.NTDLL(00000000,?,00841444,?,0078FDF5,?,?,0077A976,00000010,00841440,007713FC,?,007713C6,?,00771129), ref: 007A3852

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ccc63b07caedfd14f8d93a708d21761d68fca9082db96511c9cbaa49fb4eb173
Instruction ID: 094069c7324d0c97b1836addc182516edbdd92d0d7e89efd8a2bdadcc8163309
Opcode Fuzzy Hash: ccc63b07caedfd14f8d93a708d21761d68fca9082db96511c9cbaa49fb4eb173
Instruction Fuzzy Hash: 8331B072A0020AABDF249F65DC45EAF7BA5EF82310F054268FC05D7251EB39DD54CB90

Function 008052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00805352
GetWindowLongW.USER32(?,000000F0), ref: 00805375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00805382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008053A8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 6032470a2af5f4731f5fbfdb46d53f20d1e589130d25c0e28c27d33ed06e531c
Instruction ID: 88fc7e7f65c766dd04f650854051f537c7fdc7b7440f265b69d1023cfba6cdf5
Opcode Fuzzy Hash: 6032470a2af5f4731f5fbfdb46d53f20d1e589130d25c0e28c27d33ed06e531c
Instruction Fuzzy Hash: BC31AE34A55A0CAEEBB09E14CC16BEA7B65FB06390F594101BA11D63E0C7B0A9809F62

Function 007DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 007DABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 007DAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 007DAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 007DACC6

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a6d908a928c32568a211b971bdd93e425a07348affbe196f7a8092b7c57567ed
Instruction ID: 149a8236a13ec009adfd3eabbf651ec72b66e0f599fcc26eaeb1dc5883b4e041
Opcode Fuzzy Hash: a6d908a928c32568a211b971bdd93e425a07348affbe196f7a8092b7c57567ed
Instruction Fuzzy Hash: 5F31F630A60618BFEB358B658C087FA7BB5BB85320F04431BE499523D1D37D99858772

Function 00807674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0080769A
GetWindowRect.USER32(?,?), ref: 00807710
PtInRect.USER32(?,?,00808B89), ref: 00807720
MessageBeep.USER32(00000000), ref: 0080778C

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a83ce690b9d78005371035be3ba7be3419f2522e3b991bebda0ecedbeb98530b
Instruction ID: 4cc1b0ee45f0a2e0d3d59e29a140700c46c7837fb4504553be91dd844000d11d
Opcode Fuzzy Hash: a83ce690b9d78005371035be3ba7be3419f2522e3b991bebda0ecedbeb98530b
Instruction Fuzzy Hash: E2418D38A052549FDB91CF58CC94EA9BBF4FF49344F1481A9E414DB2A1C371B981CB90

Function 008016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008016EB

Part of subcall function 007D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007D3A57
Part of subcall function 007D3A3D: GetCurrentThreadId.KERNEL32 ref: 007D3A5E
Part of subcall function 007D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007D25B3), ref: 007D3A65

GetCaretPos.USER32(?), ref: 008016FF
ClientToScreen.USER32(00000000,?), ref: 0080174C
GetForegroundWindow.USER32 ref: 00801752

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c7acee2708559ba9e82776faf72953a4b617b977718f8ff3e1fb042fff1953e6
Instruction ID: 7eca73ef083414e2f1ff1c37baed5e155c8722cf5af3c84947dddb3c40e48584
Opcode Fuzzy Hash: c7acee2708559ba9e82776faf72953a4b617b977718f8ff3e1fb042fff1953e6
Instruction Fuzzy Hash: 77317275D00149EFCB04DFA9C885CAEB7F9FF49304B54806AE415E7251DB359E45CBA0

Function 007DDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00777620: _wcslen.LIBCMT ref: 00777625

_wcslen.LIBCMT ref: 007DDFCB
_wcslen.LIBCMT ref: 007DDFE2
_wcslen.LIBCMT ref: 007DE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 007DE018

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 97482dc011a101e7eb939eb66d84de878b030ad3cce858e1b4979d6d17994776
Instruction ID: 9a3cd19358fe63759a2aaba1e99da8def491a675f45c1d2d80be913015f16277
Opcode Fuzzy Hash: 97482dc011a101e7eb939eb66d84de878b030ad3cce858e1b4979d6d17994776
Instruction Fuzzy Hash: 9E21E571900614EFCB21EFA8D881BAEB7F8EF45760F144065E904FB341D6789E41CBA1

Function 007DD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007DD501
Process32FirstW.KERNEL32(00000000,?), ref: 007DD50F
Process32NextW.KERNEL32(00000000,?), ref: 007DD52F
CloseHandle.KERNEL32(00000000), ref: 007DD5DC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a223aa276fbb3523cfc56622b9aa0cd5c1cc2e0248c312fbd06b24ebe6d52664
Instruction ID: 305e7a2840468ba73dddad30835ce826b4816ca6e7801e668a9ab46f5162c100
Opcode Fuzzy Hash: a223aa276fbb3523cfc56622b9aa0cd5c1cc2e0248c312fbd06b24ebe6d52664
Instruction Fuzzy Hash: D431C131108300DFD710EF64D885AAFBBF8EF99384F04452DF586822A1EB759945CBA2

Function 00808FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00789BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00789BB2

GetCursorPos.USER32(?), ref: 00809001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007C7711,?,?,?,?,?), ref: 00809016
GetCursorPos.USER32(?), ref: 0080905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007C7711,?,?,?), ref: 00809094

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2769794dffc53b3fafb71ca0b9dad6c739adfd92a065fda3434dd0bd37a2c7e1
Instruction ID: 77ad3fe15bb6e10c9b94e369ec6d49fbccb3dd7268a975fb801e93349e12c642
Opcode Fuzzy Hash: 2769794dffc53b3fafb71ca0b9dad6c739adfd92a065fda3434dd0bd37a2c7e1
Instruction Fuzzy Hash: 4B218D35600418EFDB658F94CC58EFA7BF9FF8A350F044165F985872A2C3319990DB60

Function 007DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0080CB68), ref: 007DD2FB
GetLastError.KERNEL32 ref: 007DD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 007DD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0080CB68), ref: 007DD376

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 377a41afe74972e02ec3ebf91708f01e4b7f8e6dfa8f53c7ffdd9f94986efc6f
Instruction ID: 4c9185c486bc9c52889fabd2201e625d9032735ab9cea249a3020dc82799c64d
Opcode Fuzzy Hash: 377a41afe74972e02ec3ebf91708f01e4b7f8e6dfa8f53c7ffdd9f94986efc6f
Instruction Fuzzy Hash: 5F212C70509201DFC720DF28C88586AB7F4BE56764F504A1EF4A9C73A1E7399D45CB93

Function 007D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007D102A
Part of subcall function 007D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007D1036
Part of subcall function 007D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007D1045
Part of subcall function 007D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007D104C
Part of subcall function 007D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007D1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007D15BE
_memcmp.LIBVCRUNTIME ref: 007D15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007D1617
HeapFree.KERNEL32(00000000), ref: 007D161E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: af79e0ec83e484cf302236d89175e2079c7f26813f053de79b636362d3b0fac4
Instruction ID: f74a59c2a75f3e99eef4c9c6fd7a550fe410d24268c453be236412528e4a50f5
Opcode Fuzzy Hash: af79e0ec83e484cf302236d89175e2079c7f26813f053de79b636362d3b0fac4
Instruction Fuzzy Hash: 41218971E00109FFDF00DFA4C949BEEB7B8EF44344F49855AE441AB241EB38AA45CBA0

Function 00802782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0080280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00802824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00802832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00802840

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1790732d1881f2ea94fc85e72c455e0f276fc51781d44ab72f83e30364a62d3b
Instruction ID: d098bae7fe97fc10a4d46230e2cf1c484fdb4d199514f498f2299dff3af00214
Opcode Fuzzy Hash: 1790732d1881f2ea94fc85e72c455e0f276fc51781d44ab72f83e30364a62d3b
Instruction Fuzzy Hash: E221A435204515AFD7549B24CC49F6A7795FF46328F148258F426CB6E2CBB5FC42C790

Function 007D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,007D790A,?,000000FF,?,007D8754,00000000,?,0000001C,?,?), ref: 007D8D8C
Part of subcall function 007D8D7D: lstrcpyW.KERNEL32(00000000,?,?,007D790A,?,000000FF,?,007D8754,00000000,?,0000001C,?,?,00000000), ref: 007D8DB2
Part of subcall function 007D8D7D: lstrcmpiW.KERNEL32(00000000,?,007D790A,?,000000FF,?,007D8754,00000000,?,0000001C,?,?), ref: 007D8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,007D8754,00000000,?,0000001C,?,?,00000000), ref: 007D7923
lstrcpyW.KERNEL32(00000000,?,?,007D8754,00000000,?,0000001C,?,?,00000000), ref: 007D7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,007D8754,00000000,?,0000001C,?,?,00000000), ref: 007D7984

Strings

cdecl, xrefs: 007D797B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 17c0db109e9a86e7a40341f7ceba349a0a9cd45ca7c83c3e9e831534d74b30e1
Instruction ID: c526d68fcae3748820a94acd31f9c1cb5627b3c4cc183287077d2bd15352f552
Opcode Fuzzy Hash: 17c0db109e9a86e7a40341f7ceba349a0a9cd45ca7c83c3e9e831534d74b30e1
Instruction Fuzzy Hash: B011B43A200201ABCB195F34D855D7A77B9FF89350B50402BE946C73A4FB359811C7A1

Function 00807CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00807D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00807D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00807D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007EB7AD,00000000), ref: 00807D6B

Part of subcall function 00789BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00789BB2

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8b528419a8ee59db83a8b91a8425704ad36e4eba3a267cb833268c14413fb42a
Instruction ID: 7ea2c8f818c746399b77b94d03c48b303d80beb5e8506e8fa7f7aca9bcbfa0b8
Opcode Fuzzy Hash: 8b528419a8ee59db83a8b91a8425704ad36e4eba3a267cb833268c14413fb42a
Instruction Fuzzy Hash: 1E11AF36A05619AFDB509F28CC08AA63BA5FF46360B254728FD39C72F0E731E950CB50

Function 00805660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008056BB
_wcslen.LIBCMT ref: 008056CD
_wcslen.LIBCMT ref: 008056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00805816

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 5a3a4c9c1b1822017b9a5c336ffbc0b683a1d743d56cf920af7e7b906536e722
Instruction ID: cbe1da78947aeca8b17507c54ecd5e17db6e2d68545542376cbc92bbbb76b5b4
Opcode Fuzzy Hash: 5a3a4c9c1b1822017b9a5c336ffbc0b683a1d743d56cf920af7e7b906536e722
Instruction Fuzzy Hash: 5611E175A01A08A6DF609F61DC85AEF3BACFF10764B10402AF925E60C1EB709A81CF74

Function 007A1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6210792da8b5870a9b4d1af539a195fbf4f22b2fe077b37c1e766781764b0641
Instruction ID: 5cef0db3b070700940b66f9be64bb7783ace7cdfd66e2072337b474a39dd3e68
Opcode Fuzzy Hash: 6210792da8b5870a9b4d1af539a195fbf4f22b2fe077b37c1e766781764b0641
Instruction Fuzzy Hash: 3C01ADB230961A7EF7612A786CC4F27661CEFC37B8F710329F521A11D2DB689C005A70

Function 007D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 007D1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007D1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007D1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007D1A8A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bffcb0faafecd736b3630fead13ee3203fe57cee37e5b50c732feaf0abaddfb5
Instruction ID: f699dc44a7cdf21d286b0c310b17682cfe1d8ba3f00003d146db5f1dccdf661e
Opcode Fuzzy Hash: bffcb0faafecd736b3630fead13ee3203fe57cee37e5b50c732feaf0abaddfb5
Instruction Fuzzy Hash: 4611393AD01219FFEB10DBA4CD85FADBB78FB08750F604092EA00B7290D6716E50DB94

Function 007DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007DE1FD
MessageBoxW.USER32(?,?,?,?), ref: 007DE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007DE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007DE24D

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 1465262b10ab14b7886b63a7b544581df0bd495d1637255afcea2882ca713f4a
Instruction ID: 7deac11d109737275a885c6beb10187e1560008676be674260e06c55309b6e54
Opcode Fuzzy Hash: 1465262b10ab14b7886b63a7b544581df0bd495d1637255afcea2882ca713f4a
Instruction Fuzzy Hash: 9C11DB76904254BBCB02AFA89C09A9F7FBCBB45314F14435AF914D7391D778DD0487A0

Function 0079D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0079CFF9,00000000,00000004,00000000), ref: 0079D218
GetLastError.KERNEL32 ref: 0079D224
__dosmaperr.LIBCMT ref: 0079D22B
ResumeThread.KERNEL32(00000000), ref: 0079D249

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: bca4a690b8012df784ddbfc0d49a897d9dda7919e0d874b4ec21e62e2a7313e7
Instruction ID: 3bbf8b79b413ee3e9aeaa91c7b6248db616108afe2d77890f0bed574df1b7ab1
Opcode Fuzzy Hash: bca4a690b8012df784ddbfc0d49a897d9dda7919e0d874b4ec21e62e2a7313e7
Instruction Fuzzy Hash: 8201D236805208BBDF215FA9EC0ABAE7A69FF81730F210319F925921D0DB78CD01C6A0

Function 00809EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00789BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00789BB2

GetClientRect.USER32(?,?), ref: 00809F31
GetCursorPos.USER32(?), ref: 00809F3B
ScreenToClient.USER32(?,?), ref: 00809F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00809F7A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 2ed8634178a7a647a26d61dd8913d5d5cb546f6c0a3cfb08d3823f165853e084
Instruction ID: 574c0cbacd6a091f67c621ba783ff2e579fdf87b3cbaade13f5986c0db10a7f6
Opcode Fuzzy Hash: 2ed8634178a7a647a26d61dd8913d5d5cb546f6c0a3cfb08d3823f165853e084
Instruction Fuzzy Hash: 62114836A0011AABDB50EFA8DC899EE7BB8FB05311F000555F951E3191DB30BA81CBA1

Function 0077600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0077604C
GetStockObject.GDI32(00000011), ref: 00776060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0077606A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f34d8e88813b17180b736e873a6663dd5e4f2bc85e1fd0df1e31e72c121bcf0f
Instruction ID: 0248df80b020764f7725ee21478ba36a0c4eac54f6c6c1875f2f1324fdddc2f9
Opcode Fuzzy Hash: f34d8e88813b17180b736e873a6663dd5e4f2bc85e1fd0df1e31e72c121bcf0f
Instruction Fuzzy Hash: 52118B72101908BFEF524FA48C44EEABBA9FF083A4F004215FA1852010D7369C60DBA0

Function 00793B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00793B56

Part of subcall function 00793AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00793AD2
Part of subcall function 00793AA3: ___AdjustPointer.LIBCMT ref: 00793AED

_UnwindNestedFrames.LIBCMT ref: 00793B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00793B7C
CallCatchBlock.LIBVCRUNTIME ref: 00793BA4

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 383071d3fcc70673cc667c72a1e9584731eeb3431f07ad48e9f5b0ddc1349cbc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C9012972100148BBDF126E95EC46EEB3B7AFF48754F044014FE4896121C73AE962EBA0

Function 007A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007713C6,00000000,00000000,?,007A301A,007713C6,00000000,00000000,00000000,?,007A328B,00000006,FlsSetValue), ref: 007A30A5
GetLastError.KERNEL32(?,007A301A,007713C6,00000000,00000000,00000000,?,007A328B,00000006,FlsSetValue,00812290,FlsSetValue,00000000,00000364,?,007A2E46), ref: 007A30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007A301A,007713C6,00000000,00000000,00000000,?,007A328B,00000006,FlsSetValue,00812290,FlsSetValue,00000000), ref: 007A30BF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 902c6b4ab9e1e4fdfbe25047f7e58b1e81746282da49781fac2231fde6f9db04
Instruction ID: a3de40865cfd80ea95e89d87575cf0f6419fa26452626a2f09c8b117ea2237e5
Opcode Fuzzy Hash: 902c6b4ab9e1e4fdfbe25047f7e58b1e81746282da49781fac2231fde6f9db04
Instruction Fuzzy Hash: E1012B32312226EBCB314F799C489577B9ABF87BA1B210720F905E3180D725D901C6E0

Function 007D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 007D747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007D7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007D74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007D74CA

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 8e4208c2f9598f6993662d9f4b5e90b899917745b0374a5dbf58c5647fd83551
Instruction ID: 23412410464edd4d9eb99374a9c72e305a20fe77339e13f6bb3dee733a5984c1
Opcode Fuzzy Hash: 8e4208c2f9598f6993662d9f4b5e90b899917745b0374a5dbf58c5647fd83551
Instruction Fuzzy Hash: F811C0B1205750AFE7218F14DC09F92BFFCFB00B10F10856AA616D6291E7B4E904DBA0

Function 007DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007DACD3,?,00008000), ref: 007DB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007DACD3,?,00008000), ref: 007DB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007DACD3,?,00008000), ref: 007DB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007DACD3,?,00008000), ref: 007DB126

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e7c8fc3d6696a5cd7b4cdc494ce4300c07e928b837555a880e54ac106919d8b4
Instruction ID: c65266b20c10ae5227cde947923553f2cb2d064039fad454f61b4783133a4f32
Opcode Fuzzy Hash: e7c8fc3d6696a5cd7b4cdc494ce4300c07e928b837555a880e54ac106919d8b4
Instruction Fuzzy Hash: BB118031D0162CE7CF00AFE4E9596EEBF78FF49711F124186D941B2281CB389650CB95

Function 00807E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00807E33
ScreenToClient.USER32(?,?), ref: 00807E4B
ScreenToClient.USER32(?,?), ref: 00807E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00807E8A

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0dbc6fc0bd4d690d583435497b4132498939a89fded29eddcaa7aa9408236b29
Instruction ID: 040e846bba67442f3fc40018eaf43de4cd0cf2234c372cd1ab802539dae5b199
Opcode Fuzzy Hash: 0dbc6fc0bd4d690d583435497b4132498939a89fded29eddcaa7aa9408236b29
Instruction Fuzzy Hash: F81186B9D0020AAFDB41CF98C8849EEBBF5FF08310F104156E911E3250D735AA54CF50

Function 007D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007D2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 007D2DD6
GetCurrentThreadId.KERNEL32 ref: 007D2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007D2DE4

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1398047e3f02cc5de1ddd3b7621d4c67b542f2b6eead57455dda02c7e61a00c4
Instruction ID: 51d9d4214ed33a003631198750aa795121a672fa5f11d37450ac3b378c0b111c
Opcode Fuzzy Hash: 1398047e3f02cc5de1ddd3b7621d4c67b542f2b6eead57455dda02c7e61a00c4
Instruction Fuzzy Hash: 78E06DB12012247AD7201B629C0DEEB3E6DFF66BA1F04021AB106D11919AA58842C6B0

Function 00808863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00789639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00789693
Part of subcall function 00789639: SelectObject.GDI32(?,00000000), ref: 007896A2
Part of subcall function 00789639: BeginPath.GDI32(?), ref: 007896B9
Part of subcall function 00789639: SelectObject.GDI32(?,00000000), ref: 007896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00808887
LineTo.GDI32(?,?,?), ref: 00808894
EndPath.GDI32(?), ref: 008088A4
StrokePath.GDI32(?), ref: 008088B2

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0055dd72edc52dcc40af6711a3811359a1dabf0da2651ba81a15861d03c27d34
Instruction ID: 47d2de15ce7471260a298f89b188d4d27175e3c9fdc110e576433d91a8f32307
Opcode Fuzzy Hash: 0055dd72edc52dcc40af6711a3811359a1dabf0da2651ba81a15861d03c27d34
Instruction Fuzzy Hash: 73F03A36041658FAEB526F94AC0DFCA3E59BF06310F448100FA11650E1C7755551DBE5

Function 007898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007898CC
SetTextColor.GDI32(?,?), ref: 007898D6
SetBkMode.GDI32(?,00000001), ref: 007898E9
GetStockObject.GDI32(00000005), ref: 007898F1

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: ef81faa0006920580f5178e2987dcffc84ca86c936440e391a21feb6ebfcd4dc
Instruction ID: f5b10391d63bbfb99c21d0b4068fc60d7b943f66ea24b73dfaad8282ffee4990
Opcode Fuzzy Hash: ef81faa0006920580f5178e2987dcffc84ca86c936440e391a21feb6ebfcd4dc
Instruction Fuzzy Hash: F3E03931284280AEDB615F74AC09BE83B20BB12336F048319FABA580E1C77586509B10

Function 007D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 007D1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007D11D9), ref: 007D163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007D11D9), ref: 007D1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007D11D9), ref: 007D164F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f8386d9fa90ff20a6be7216c47664422d8d3731e5f1c16e54746b726f2a44a0a
Instruction ID: aacd97fcf5e26aac645f2f663d65bc0890f8e48667e1eb9be5e498bc509de6d2
Opcode Fuzzy Hash: f8386d9fa90ff20a6be7216c47664422d8d3731e5f1c16e54746b726f2a44a0a
Instruction Fuzzy Hash: F4E08C32602211EBE7A01FA1AE0EB863B7CBF44792F148909F245C9090EA388440CB60

Function 007CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007CD858
GetDC.USER32(00000000), ref: 007CD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007CD882
ReleaseDC.USER32(?), ref: 007CD8A3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 080563d57fded2f246d5f61d6b6d66e4396fee68d5a1daa5af75a605e126cf8d
Instruction ID: 8b009cba28993463e46b6d6a55298c1be636e08ce2bcbfbebde5ff193c77ee90
Opcode Fuzzy Hash: 080563d57fded2f246d5f61d6b6d66e4396fee68d5a1daa5af75a605e126cf8d
Instruction Fuzzy Hash: C1E01AB1800204DFCFA1AFA0D80CA6DBBB1FB18310F14811DF856E7250CB398941AF50

Function 007CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007CD86C
GetDC.USER32(00000000), ref: 007CD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007CD882
ReleaseDC.USER32(?), ref: 007CD8A3

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f5e9466d73020aae2f6b141506d0c9297b4e8c4d84dd585580bf9d9e69b6a856
Instruction ID: 9ba44e664bcb2e2a6f09ffeb85be6d951c295636ba764b4e94992540813502d2
Opcode Fuzzy Hash: f5e9466d73020aae2f6b141506d0c9297b4e8c4d84dd585580bf9d9e69b6a856
Instruction Fuzzy Hash: E9E092B5800204EFCFA1AFA0D80D66DBBB5BB18311F149549E95AE7290DB395901AF50

Function 007E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00777620: _wcslen.LIBCMT ref: 00777625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 007E4ED4

Strings

LPT, xrefs: 007E4DFB
*, xrefs: 007E4E10

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6e73980a85bfea8cc4b80b42e5addf2f6a8805234335b9f8b9398f94cdf9c85c
Instruction ID: f675f3aa1328dc75a278161a12f963d4ad639927757f7332d8c8bd1030dca1ca
Opcode Fuzzy Hash: 6e73980a85bfea8cc4b80b42e5addf2f6a8805234335b9f8b9398f94cdf9c85c
Instruction Fuzzy Hash: 51917275A01244DFCB14DF59C484EAABBF1BF48704F198099E80A9F362D739ED85CB91

Function 0079E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0079E30D

Strings

pow, xrefs: 0079E2E5, 0079E302

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 81b2b00e1d5ad39cdc6e34f07e1592458df3d510beae3b37a9d64c918b735709
Instruction ID: ff58a0e11264b6ff1bc9e55087c8c01a2a03aa5540d167971e18ac335597196b
Opcode Fuzzy Hash: 81b2b00e1d5ad39cdc6e34f07e1592458df3d510beae3b37a9d64c918b735709
Instruction Fuzzy Hash: D3513B61A0D20296CF19B714ED453B93BA8FF81741F348E68F0D5422A9EF3D8C91DA46

Function 0078E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0078E1B1

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fb210a7ed5ef153b6b531eac63a4a1e3a634e1689189d3035951e9fdaea60170
Instruction ID: b9595e822b2b7366c02da1ebfb42c51cf8b7af19886acbaf9e7b2d0a12e9157b
Opcode Fuzzy Hash: fb210a7ed5ef153b6b531eac63a4a1e3a634e1689189d3035951e9fdaea60170
Instruction Fuzzy Hash: 3D51F075904246DFDF25EF68C485ABA7BA8FF25310F24805DE8919B290DB3C9D42CBA0

Function 0078F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0078F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0078F2BB

Strings

@, xrefs: 0078F2AF

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a29dbaa1cd85e2da58b9265bbd44a76688e0eb9275f737b479bf09f38d9273f8
Instruction ID: 937692c531b29f070d7835edec8fe0869fe5482c99c3302a7ead33c0d30e08e2
Opcode Fuzzy Hash: a29dbaa1cd85e2da58b9265bbd44a76688e0eb9275f737b479bf09f38d9273f8
Instruction Fuzzy Hash: 59514672418744DBD720AF20DC8ABAFBBF8FB95340F81885DF1D9411A5EB348529CB66

Function 007F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007F57E0
_wcslen.LIBCMT ref: 007F57EC

Strings

CALLARGARRAY, xrefs: 007F57E6, 007F57EB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: aac44c8fead00879e46eec11b6ca105519e2e8ef71c292980cc8f8744e291b84
Instruction ID: 6f25f9d434c0a0b8da3fa77633c3de4f49d5f7c4b87d357e387073603120b876
Opcode Fuzzy Hash: aac44c8fead00879e46eec11b6ca105519e2e8ef71c292980cc8f8744e291b84
Instruction Fuzzy Hash: 7541A131A00209DFCF14EFA9C8868BEBBB5FF59360F104169E605A7391E7389D81CB90

Function 007ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007ED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007ED13A

Strings

|, xrefs: 007ED10B

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 3784cb88800ef61589adfa9d8fd5cd544fb28c07fb236916acb088c0c99cd229
Instruction ID: 01385c66f79635dcecaac5b42c06df5e9132ec08fd36b3d69acc41e068b710e3
Opcode Fuzzy Hash: 3784cb88800ef61589adfa9d8fd5cd544fb28c07fb236916acb088c0c99cd229
Instruction Fuzzy Hash: 54312D71D01209EBCF15EFA5CC89AEE7FB9FF08340F004019F919A6165E775A916CB61

Function 0080356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00803621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0080365C

Strings

static, xrefs: 008035BC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: afbcb02fc5b28378e768cfc0898fe16a9ec67aead55fa2ade2daa8cda2741d1f
Instruction ID: 369dd3f6866f49af6a593a568a99bcca856ee98ea16e5bc642d4683e66f58cb2
Opcode Fuzzy Hash: afbcb02fc5b28378e768cfc0898fe16a9ec67aead55fa2ade2daa8cda2741d1f
Instruction Fuzzy Hash: F331AB71100608AAEB609F28DC81EBB73ADFF98720F109619F8A5D7290DB35AD81D760

Function 00804537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0080461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00804634

Strings

', xrefs: 0080458E

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: abe53eddfca44fb03342d9d3d5a5595afcd7cdc619393b44e2ae49e2d3b0a5db
Instruction ID: 9db506ca04222c56296e73eb82a6b52940ad1e067dc08c937cb62d12f9ed5db0
Opcode Fuzzy Hash: abe53eddfca44fb03342d9d3d5a5595afcd7cdc619393b44e2ae49e2d3b0a5db
Instruction Fuzzy Hash: E0314AB5A4120A9FEF54CFA9C980BDA7BB5FF49300F105069EA14EB381E771A941CF90

Function 008031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0080327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00803287

Strings

Combobox, xrefs: 00803249

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a32f78ab1b61e580e2d9a522cee080a50ffd5ba75b563c4e07c61101474a63ab
Instruction ID: a882a58fbbdc81c5b26d849ec035d567a625e05f762654d37d6868d049180607
Opcode Fuzzy Hash: a32f78ab1b61e580e2d9a522cee080a50ffd5ba75b563c4e07c61101474a63ab
Instruction Fuzzy Hash: D9118E71200208AFEFA19E54DC85EAB376EFB943A5F104129F928D72D0D6319D518760

Function 00803710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0077600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0077604C
Part of subcall function 0077600E: GetStockObject.GDI32(00000011), ref: 00776060
Part of subcall function 0077600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077606A

GetWindowRect.USER32(00000000,?), ref: 0080377A
GetSysColor.USER32(00000012), ref: 00803794

Strings

static, xrefs: 00803757

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c727d15430dacb6cf5adef2cbb7aaaa80446e40316cade932190d81c751efc88
Instruction ID: 58e6350d12b6d1464b506f8ebcdf70dd2df02d010d161f73a145701afa4e90bd
Opcode Fuzzy Hash: c727d15430dacb6cf5adef2cbb7aaaa80446e40316cade932190d81c751efc88
Instruction Fuzzy Hash: A31129B2610209AFDF50DFA8CC45EFA7BB8FB08354F004A25F955E2290E735E851DB50

Function 007ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007ECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007ECDA6

Strings

<local>, xrefs: 007ECD66

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: da96a56702c037ab4bf5fe84e2fafd6fa7bae13b832c0b253471e4c88d3f2ffe
Instruction ID: a4e46c32f1aa4a16b3839e9d23d2b6c63df38eba2c8ab353ae3fb634e445e273
Opcode Fuzzy Hash: da96a56702c037ab4bf5fe84e2fafd6fa7bae13b832c0b253471e4c88d3f2ffe
Instruction Fuzzy Hash: FD11C679306671BAD7758B678C45EE7BEACEF167A4F004226B10983180D7799842D6F0

Function 00803429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008034BA

Strings

edit, xrefs: 0080348F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5e546a4ffa50fd3e7faf06c50dbab3d0772ecd0297d039afcb46979364443f60
Instruction ID: 50b9080ef1e40375910d34f0ed4d047fa8f5461ce23148d7bb55052ae65bc633
Opcode Fuzzy Hash: 5e546a4ffa50fd3e7faf06c50dbab3d0772ecd0297d039afcb46979364443f60
Instruction Fuzzy Hash: 47119D71100508AAEB914F64DC44AAA376EFB25378F504324F960DB1E0C771DD919758

Function 007D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

CharUpperBuffW.USER32(?,?,?), ref: 007D6CB6
_wcslen.LIBCMT ref: 007D6CC2

Strings

STOP, xrefs: 007D6CBC, 007D6CC1

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 355be675ca26fe8b17a0def58e46884034b3166ac5e0710d206b7c471c6e1fdc
Instruction ID: 3d1db5ed0d6494b46c0fead108c20addb26eb5ec73163ff982e182c0e5b2136e
Opcode Fuzzy Hash: 355be675ca26fe8b17a0def58e46884034b3166ac5e0710d206b7c471c6e1fdc
Instruction Fuzzy Hash: AF0104326105268ACF20AFBDDC858BF73B5FB61750700052AE86692291EA39E800C660

Function 007D1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007D3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007D1D4C

Strings

ListBox, xrefs: 007D1D16
ComboBox, xrefs: 007D1CEB

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 97268965c6c8feb0fd3bf20ae25eb1e33fdabd31de5060eb2bdd6bd7aa327d6c
Instruction ID: ad404057d2978835f680a02d715a7da0f3904f13b2e425a251696704437e79a1
Opcode Fuzzy Hash: 97268965c6c8feb0fd3bf20ae25eb1e33fdabd31de5060eb2bdd6bd7aa327d6c
Instruction Fuzzy Hash: 5B01B571711218ABCF14EBA4CD55CFEB379FB56390B440A1AE836673C1EB3959088671

Function 007D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007D3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 007D1C46

Strings

ListBox, xrefs: 007D1C10
ComboBox, xrefs: 007D1BE5

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9331ffb5eed01e0b69bd252925e39f96db6f67104af652d844f78375657c128c
Instruction ID: 389e5aaf2b61daf3e3fbc597810c7394418ea2ca395eaf6ece0989532b6e5f29
Opcode Fuzzy Hash: 9331ffb5eed01e0b69bd252925e39f96db6f67104af652d844f78375657c128c
Instruction Fuzzy Hash: E701A775791104B6DF14EBA0CE56DFFB7B89B52380F54001AA51E773C2EA289E0886B2

Function 007D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007D3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 007D1CC8

Strings

ListBox, xrefs: 007D1C94
ComboBox, xrefs: 007D1C69

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c2bff91e323ed69cd91931ada67bd6b989094afedc8f2b68c2b6ea3b96aa9163
Instruction ID: 0cb0c791f62759e021fa544fb8544bc7a76cf68b6b2a8c794cf2cfb4046166b0
Opcode Fuzzy Hash: c2bff91e323ed69cd91931ada67bd6b989094afedc8f2b68c2b6ea3b96aa9163
Instruction Fuzzy Hash: AC01A771751114B6CF14EBA0CA06EFEB3B8AB11380F540016B91973381EA299F08C672

Function 007D1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779CB3: _wcslen.LIBCMT ref: 00779CBD

Part of subcall function 007D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007D3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 007D1DD3

Strings

ListBox, xrefs: 007D1DA0
ComboBox, xrefs: 007D1D75

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: eb7f64afb40fedd5e3d7bc2e525f1334f36d972d7743b98ab158eff6ba444d62
Instruction ID: 4b1a29a819100f8550664655791c351bdc349a029aa55e6a4e1d367209117628
Opcode Fuzzy Hash: eb7f64afb40fedd5e3d7bc2e525f1334f36d972d7743b98ab158eff6ba444d62
Instruction Fuzzy Hash: D4F0F471B52214B6CF04E7A4CD56EFEB378AB12390F44091AB936A33C1DB68590882B1

Function 007F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007F7493
_wcslen.LIBCMT ref: 007F74B9

Strings

3, 3, 16, 1, xrefs: 007F7483

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a6f7f2e4f0788bdd74af2540e5965a9cc982e0e71317a3e8d5989bf7760d9b87
Instruction ID: cf653e205d23cc930a38400a9a5382069feeace3c1bc8daf9442b983058cf3e3
Opcode Fuzzy Hash: a6f7f2e4f0788bdd74af2540e5965a9cc982e0e71317a3e8d5989bf7760d9b87
Instruction Fuzzy Hash: 9BE02B52204664609235227DACC5D7F5689DFC9760710182BFA81C2366EA9CDD92D3A0

Function 007D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007D0B23

Strings

Error allocating memory., xrefs: 007D0B1C
AutoIt, xrefs: 007D0B17

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: cd0afbd27a1818ee94899db5bf4cc7a3a4cd127fef202ad594a7b6c73be081d4
Instruction ID: 123e13791d114269a8eea5717b36dc78a6e81a86bac9bfa33ace32071d2306ec
Opcode Fuzzy Hash: cd0afbd27a1818ee94899db5bf4cc7a3a4cd127fef202ad594a7b6c73be081d4
Instruction Fuzzy Hash: 5BE0D831284308A6D6143B947C0BF897B84DF05B61F100427FB58956C38AE9249006E9

Function 00790D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0078F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00790D71,?,?,?,0077100A), ref: 0078F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0077100A), ref: 00790D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0077100A), ref: 00790D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00790D7F

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f8ac2c2bf096774bdf573a0b76f991a37fc801e47168bf9cf7600dd0a385d76f
Instruction ID: c8c6ab4ecafa1072893424ecaf2608abaef755f4d3bccac7662d27370e8b7c3c
Opcode Fuzzy Hash: f8ac2c2bf096774bdf573a0b76f991a37fc801e47168bf9cf7600dd0a385d76f
Instruction Fuzzy Hash: 1DE0ED742007518FEBB09FB8E8487467BE4BB14754F008A2DE996C6A92DBB9E444CBD1

Function 007E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 007E302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 007E3044

Strings

aut, xrefs: 007E3038

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 38effe4cbfe31e0a0f0e5116dd64f4d8d6e752dfed69f465688474c40a9c1c89
Instruction ID: c0c34aab24ee5e003bd141fd2c06e20fc28f34c5ebf3d2dba5648e57dc8d2c7d
Opcode Fuzzy Hash: 38effe4cbfe31e0a0f0e5116dd64f4d8d6e752dfed69f465688474c40a9c1c89
Instruction Fuzzy Hash: 92D05E7250032877DA60ABA8AC0EFCB3B6CEB05750F0002A1B655E20D1EAB49984CAD0

Function 007CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007CD220

Strings

%.3d, xrefs: 007CD22B
X64, xrefs: 007CD2A8

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 13c5a909eae121d8a245ef754aa562430a3dd5854f77032c01eeb7ee3f44a092
Instruction ID: 7ad0493857eb2b7378e96584b621496b5839d9b4c623cc14f63c64c7374a377b
Opcode Fuzzy Hash: 13c5a909eae121d8a245ef754aa562430a3dd5854f77032c01eeb7ee3f44a092
Instruction Fuzzy Hash: B8D012A1C48108E9CBB0A7E0CC49EBAB3BCFB09301F50847EF806D2040D63CCD486B61

Function 00802322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0080232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0080233F

Part of subcall function 007DE97B: Sleep.KERNEL32 ref: 007DE9F3

Strings

Shell_TrayWnd, xrefs: 00802325

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8ffe0966762128bbcea2dcaf1b6e06b2758681732ebbbe7d24c78e1ba2e6046c
Instruction ID: de3898598dd4fad9ec3133546fb9dc177223bd54a239f5a0eabd5aa1af535324
Opcode Fuzzy Hash: 8ffe0966762128bbcea2dcaf1b6e06b2758681732ebbbe7d24c78e1ba2e6046c
Instruction Fuzzy Hash: FFD0C976395310B6E6E8BB709C1FFC66A18BB50B14F108A167655AA2D0D9A4A8018A94

Function 00802356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0080236C
PostMessageW.USER32(00000000), ref: 00802373

Part of subcall function 007DE97B: Sleep.KERNEL32 ref: 007DE9F3

Strings

Shell_TrayWnd, xrefs: 00802365

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a9d7dee7963ff627b3f1c917933251882e52772baf18ed0fb0743cf039ed07a8
Instruction ID: 5db35058612691e908305e3e9cc3af431ebffef696b2edf29fd67eb6bcb6aaaf
Opcode Fuzzy Hash: a9d7dee7963ff627b3f1c917933251882e52772baf18ed0fb0743cf039ed07a8
Instruction Fuzzy Hash: 2CD0C976382310BAE6E8BB709C0FFC66618BB55B14F508A167655EA2D0D9A4B8018A94

Function 007ABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 007ABE93
GetLastError.KERNEL32 ref: 007ABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007ABEFC

Memory Dump Source

Source File: 00000000.00000002.1698693892.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.1698679748.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.000000000080C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698782784.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698828424.000000000083C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698847958.0000000000844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 4e0f6b39c467c80c7aa5e77a63a0ce04e75892540421b84354a99f4768ef7373
Instruction ID: db7c9c21422e587115a4439a61c6542057a954b8f106404c9aeefaf1a33f686e
Opcode Fuzzy Hash: 4e0f6b39c467c80c7aa5e77a63a0ce04e75892540421b84354a99f4768ef7373
Instruction Fuzzy Hash: C7412935605246EFCF218FA4DC94ABA7BA4EF83310F184369F959971A3DB348D00CB50

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.79.208.1
Source: unknown	TCP traffic detected without corresponding DNS query: 178.79.208.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1552351272&timestamp=1727889851141 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=vqgYLiANKHTkc6WX5XgaDxk4LZpfrK-Sm0UZ5ic_OYQbh3PBc31yZv-MEP4nCOcieycRFHyL-mYtD73GJ5Ej9mGwXeVfAcaPfhiBbrvOBq1gY15oTr9fTaqYH2-GIMUBGpBbuAwSTJiJ-s1UNAdPvIhPBM9dDiRFzeeYK7dX-pYHMfBF19A
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4BOnfg3sDZ1+ln5&MD=7mmXW1cb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4BOnfg3sDZ1+ln5&MD=7mmXW1cb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Static File Info

General

Windows Analysis Report
file.exe

Function 007742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 007742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 007B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 007FA67C Relevance: 6.2, APIs: 4, Instructions: 175
processCOMMON

Function 007DDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 007FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00772CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 007B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0077344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre