Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1541956
MD5:	81179973941258193a072d65b533706c
SHA1:	18004cce2e025df386dafca9c5107e73fb42c131
SHA256:	2a4ad8fc9e9ca97ede614b35ffff9a4262edfe15e9122f56a03f1ca526be22af
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 81179973941258193A072D65B533706C)

taskkill.exe (PID: 6692 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6972 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7112 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2180 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2188 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5812 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4928 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5264 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4192 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b841c54-9063-4cde-bece-834a3cb9db18} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24cd016d510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7448 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4128 -parentBuildID 20230927232528 -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4cd9f1b-c0c4-4422-89cd-b29c88cba1c3} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24ce0d91210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8096 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5324 -prefMapHandle 1540 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1599c2d0-7688-43fa-a3dd-8a8d1812e970} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24ce175b710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6644	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0073EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0073EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0073ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0073ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0073EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0072AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00759576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00759576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1798987073.0000000000782000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8c7dce6a-4
Source: file.exe, 00000000.00000000.1798987073.0000000000782000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4f0bd881-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_473e5958-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_21d01713-b

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000180AB3E75B7 NtQuerySystemInformation,		16_2_00000180AB3E75B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000180AB64BD72 NtQuerySystemInformation,		16_2_00000180AB64BD72

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0072D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00721201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00721201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0072E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CBF40	0_2_006CBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C8060	0_2_006C8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00732046	0_2_00732046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00728298	0_2_00728298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FE4FF	0_2_006FE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F676B	0_2_006F676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00754873	0_2_00754873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CCAF0	0_2_006CCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006ECAA0	0_2_006ECAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DCC39	0_2_006DCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F6DD9	0_2_006F6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DB119	0_2_006DB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C91C0	0_2_006C91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E1394	0_2_006E1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E1706	0_2_006E1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E781B	0_2_006E781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D997D	0_2_006D997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C7920	0_2_006C7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E19B0	0_2_006E19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E7A4A	0_2_006E7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E1C77	0_2_006E1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E7CA7	0_2_006E7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074BE44	0_2_0074BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F9EEE	0_2_006F9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E1F32	0_2_006E1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000180AB3E75B7	16_2_00000180AB3E75B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000180AB64BD72	16_2_00000180AB64BD72
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000180AB64BDB2	16_2_00000180AB64BDB2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000180AB64C49C	16_2_00000180AB64C49C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006DF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006E0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007337B5 GetLastError,FormatMessageW,

0_2_007337B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007210BF AdjustTokenPrivileges,CloseHandle,		0_2_007210BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007216C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007351CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0072D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0073648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0073648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006C42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.2028965135.0000024CEB6D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2025692185.0000024CEC59C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.2027828695.0000024CEC034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2031186838.0000024CEB693000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028965135.0000024CEB693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b841c54-9063-4cde-bece-834a3cb9db18} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24cd016d510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4128 -parentBuildID 20230927232528 -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4cd9f1b-c0c4-4422-89cd-b29c88cba1c3} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24ce0d91210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5324 -prefMapHandle 1540 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1599c2d0-7688-43fa-a3dd-8a8d1812e970} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24ce175b710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b841c54-9063-4cde-bece-834a3cb9db18} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24cd016d510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4128 -parentBuildID 20230927232528 -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4cd9f1b-c0c4-4422-89cd-b29c88cba1c3} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24ce0d91210 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5324 -prefMapHandle 1540 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1599c2d0-7688-43fa-a3dd-8a8d1812e970} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24ce175b710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1978856652.0000024CDD73F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1981015891.0000024CDD739000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1978856652.0000024CDD73F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1981015891.0000024CDD739000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006C42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E0A76 push ecx; ret

0_2_006E0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006DF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00751C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00751C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94702

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000180AB3E75B7 rdtsc

16_2_00000180AB3E75B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0072DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007368EE FindFirstFileW,FindClose,	0_2_007368EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0073698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0072D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0072D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00739642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00739642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00739B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00739B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00735C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00735C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006C42DE

Source: firefox.exe, 0000000D.00000003.1837738873.0000024CD1D42000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837833629.0000024CD1D3F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837633556.0000024CD1D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz
Source: firefox.exe, 00000011.00000002.3067192934.0000022A627FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@X
Source: firefox.exe, 0000000F.00000002.3075203418.0000020B83200000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3067568355.0000020B82C9A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3074569301.00000180ABBCB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3066730472.00000180AB2BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3074095978.0000020B83119000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3075203418.0000020B83200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: firefox.exe, 00000010.00000002.3074569301.00000180ABBCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ^+
Source: firefox.exe, 0000000F.00000002.3075203418.0000020B83200000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3074569301.00000180ABBCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000180AB3E75B7 rdtsc

16_2_00000180AB3E75B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0073EAA2 BlockInput,

0_2_0073EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006F2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006C42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E4CE8 mov eax, dword ptr fs:[00000030h]

0_2_006E4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00720B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00720B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006F2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006E083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E09D5 SetUnhandledExceptionFilter,	0_2_006E09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006E0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00721201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00702BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00702BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072B226 SendInput,keybd_event,

0_2_0072B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007422DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00720B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00721663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00721663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1963981171.0000024CECA41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E0698 cpuid

0_2_006E0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00738195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00738195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071D27A GetUserNameW,

0_2_0071D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006FBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_006FBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006C42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6644, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6644, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00741204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00741806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://poczta.interia.pl/mh/?mailto=%s	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://getpocket.com/recommendations	0%	URL Reputation	safe
https://lit.dev/docs/templates/directives/#stylemap	0%	URL Reputation	safe
https://push.services.mozilla.com	0%	URL Reputation	safe
https://webextensions.settings.services.mozilla.com/v1	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration	0%	URL Reputation	safe
https://spocs.getpocket.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.193.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.18.110	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.186.78	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3069780185.0000022A62CC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.2037100895.0000024CDCF79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2008738783.0000024CEC714000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003571438.0000024CEC70B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3070625362.0000020B830C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3069489502.00000180AB5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3074427845.0000022A62E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1885364804.0000024CE8163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885716767.0000024CE8163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887245498.0000024CE8162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990281517.0000024CE8158000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887657319.0000024CE814B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/user/	firefox.exe, 00000011.00000002.3069780185.0000022A62CF2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.3070625362.0000020B83072000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3069489502.00000180AB586000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3069780185.0000022A62C8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.2031611340.0000024CE7F69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1843587525.0000024CDFB00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844439774.0000024CDFD77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843867463.0000024CDFD1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844240680.0000024CDFD5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844065622.0000024CDFD3C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1884555576.0000024CE0EE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.2031087402.0000024CEB994000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1843587525.0000024CDFB00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844439774.0000024CDFD77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2029922717.0000024CE34A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2002206481.0000024CE19DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978800462.0000024CE19DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2050944931.0000024CE251B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843867463.0000024CDFD1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844240680.0000024CDFD5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844065622.0000024CDFD3C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.2029922717.0000024CE3454000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1843587525.0000024CDFB00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844439774.0000024CDFD77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843867463.0000024CDFD1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844240680.0000024CDFD5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844065622.0000024CDFD3C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.2033435305.0000024CE28D0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3070625362.0000020B830C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3069489502.00000180AB5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3074427845.0000022A62E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.2027992799.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3070625362.0000020B830C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3069489502.00000180AB5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3074427845.0000022A62E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.2027992799.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3069489502.00000180AB503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3069780185.0000022A62C03000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1909533970.0000024CE09B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911060424.0000024CE1B87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.2028965135.0000024CEB6D5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.3069780185.0000022A62CC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1911060424.0000024CE1B87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909997606.0000024CE0960000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.2002206481.0000024CE199F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.2028965135.0000024CEB693000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1884555576.0000024CE0EE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 00000011.00000002.3069780185.0000022A62C13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1886485778.0000024CE81B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2013850309.0000024CE2658000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2002206481.0000024CE19AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2012291615.0000024CE09B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1968860817.0000024CE01D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885716767.0000024CE81A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2039217586.0000024CE2453000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990281517.0000024CE81A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1855713396.0000024CE01EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2036292693.0000024CE09B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2035478825.0000024CE0F48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887943806.0000024CE0F46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2033435305.0000024CE28EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887225118.0000024CE81B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886731873.0000024CE0F4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974786678.0000024CE263D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1982989664.0000024CE2674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2038636670.0000024CE2462000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905841860.0000024CE08D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854287082.0000024CE08DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1999253088.0000024CE24A5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.2029922717.0000024CE3454000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.2029922717.0000024CE3454000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2032532679.0000024CE32AC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.2031004504.0000024CEBEE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2027866257.0000024CEBEDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.2031004504.0000024CEBEE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2027866257.0000024CEBEDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1885716767.0000024CE8163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887245498.0000024CE8162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990281517.0000024CE8158000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887657319.0000024CE814B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1851441504.0000024CDF933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851236895.0000024CDF918000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850431891.0000024CDF933000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.2050780265.0000024CE2532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1909533970.0000024CE0977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911060424.0000024CE1B87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1851441504.0000024CDF933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851236895.0000024CDF918000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850431891.0000024CDF933000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.2028965135.0000024CEB6D5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3070625362.0000020B830C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3069489502.00000180AB5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3074427845.0000022A62E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.2050206950.0000024CE25D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1844065622.0000024CDFD3C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1843587525.0000024CDFB00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844439774.0000024CDFD77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2002206481.0000024CE19DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978800462.0000024CE19DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2050944931.0000024CE251B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843867463.0000024CDFD1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844240680.0000024CDFD5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844065622.0000024CDFD3C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.2027992799.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1911060424.0000024CE1B87000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1851441504.0000024CDF933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851236895.0000024CDF918000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850431891.0000024CDF933000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.1887943806.0000024CE0F53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886731873.0000024CE0FE9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	firefox.exe, 0000000F.00000002.3070625362.0000020B830C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3069489502.00000180AB5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3074427845.0000022A62E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 0000000D.00000003.1885364804.0000024CE8163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885716767.0000024CE8163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887245498.0000024CE8162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990281517.0000024CE8158000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887657319.0000024CE814B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.com/recommendations	firefox.exe, 00000011.00000002.3069780185.0000022A62CC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts	firefox.exe, 0000000D.00000003.1886485778.0000024CE81B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885716767.0000024CE81A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990281517.0000024CE81A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887225118.0000024CE81B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887581546.0000024CE81B5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://lit.dev/docs/templates/directives/#stylemap	firefox.exe, 0000000D.00000003.1885716767.0000024CE8163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887245498.0000024CE8162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990281517.0000024CE8158000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887657319.0000024CE814B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://push.services.mozilla.com	firefox.exe, 0000000D.00000003.2028965135.0000024CEB635000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://webextensions.settings.services.mozilla.com/v1	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts	firefox.exe, 0000000D.00000003.1886485778.0000024CE81B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885716767.0000024CE81A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990281517.0000024CE81A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887225118.0000024CE81B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887581546.0000024CE81B5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com	firefox.exe, 0000000D.00000003.1884382104.0000024CE23F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2051053816.0000024CE23F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2050624413.0000024CE256B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/userJ	firefox.exe, 00000010.00000002.3069489502.00000180AB55F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/firefox/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://spocs.getpocket.com	firefox.exe, 0000000D.00000003.2029675418.0000024CE80E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2049537214.0000024CE80E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developers.google.com/safe-browsing/v4/advisory	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/firefox/language-tools/	firefox.exe, 0000000F.00000002.3070076723.0000020B82E90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3073583956.00000180AB600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3068860491.0000022A62A70000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com	firefox.exe, 0000000D.00000003.2027992799.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
172.217.18.110	youtube.com	United States	15169	GOOGLEUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541956
Start date and time:	2024-10-25 11:16:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.208.54.237, 44.231.229.39, 52.13.186.250, 216.58.212.138, 142.250.185.202, 142.250.186.46, 2.22.61.56, 2.22.61.59, 142.250.185.110
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
05:17:18	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.201.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	ES Ny kontraktsrunda.msg	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fonedrive.live.com%2Fredir%3Fresid%3DA2C259BD24DEB977%25211517%26authkey%3D%2521AMV6sdjMIZf95vs%26page%3DView%26wd%3Dtarget%2528Quick%2520Notes.one%257C8266a05f-045a-4cc0-bddc-4debc90069bb%252FNotera%2520H6TYD9J4rDFDFECZC-HUYW%257Ca949d04d-b4e2-4509-b99f-d04546199b7b%252F%2529%26wdorigin%3DNavigationUrl&id=71de&rcpt=johan.brandt@skolverket.se&tss=1729830791&msgid=2d0ccdeb-928a-11ef-8a2e-0050569b0508&html=1&h=008c08c0	Get hash	malicious	Unknown	Browse	151.101.130.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://temp.farenheit.net/XL1VkZE1FVGZjL0VwUUt5cWc4dkk1SWpqVFFTMUtQZ0krRFhobktOS05RSWpVMTZIYzk3b3hOUTBoZ2VYdnAzM21wZnYwMVBmdGN0MW12M09qVmMzbnNVeVpkeXBxeHVGd2V4eDRvVlZ5dERsakpjbGV3ZVZxRVhlZ0F6Q3hwQlptYUUyRFhHRzY3YkRXQ3hjWmhBZDBpMkNpakJDSnhzUG9xa2k2ZkdacVpDZVhFVFppeUJLcHJIaC0teVVJeERBTFd0K3k3b01rYS0tRk9zSWNIVEd0blVHZVlhTlFnVUxldz09?cid=2242420613	Get hash	malicious	Unknown	Browse	199.232.196.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	33.107.170.225
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	34.188.198.198
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	48.58.113.147
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	56.104.248.113
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	48.82.37.82
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	57.13.203.90
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	33.56.165.164
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	56.184.188.222
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	33.107.170.225
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	34.188.198.198
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	48.58.113.147
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	56.104.248.113
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	48.82.37.82
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	57.13.203.90
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	33.56.165.164
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	56.184.188.222
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ff1f7eb9-5de2-4d4f-83a1-e15ddb28d979.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1782106980072165
Encrypted:	false
SSDEEP:	192:/CjMXq0fcbhbVbTbfbRbObtbyEl7nUrpJA6WnSrDtTUd/SkDrm:/CY7cNhnzFSJ0rEBnSrDhUd/Q
MD5:	80D022EF83C65BA8C831B924A8F863E5
SHA1:	F04B6A4533919AA0A947EE049A10D0C5894B3F96
SHA-256:	9EF32673005E3A1AE9D76A7D42B39F974E4C476E6185F3D7BA59F360BFD0D933
SHA-512:	68B5305A5CBCFE175F3D18C898A52DCEB8012197C26FD501AA3F7E6DCB8BB90E83E391F4319BF14999A7840F2BE7CAA9E6561F9B6E0FB2C5545ABB02B18CAF09
Malicious:	false
Preview:	{"type":"uninstall","id":"ff1f7eb9-5de2-4d4f-83a1-e15ddb28d979","creationDate":"2024-10-25T10:32:30.513Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ff1f7eb9-5de2-4d4f-83a1-e15ddb28d979.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1782106980072165
Encrypted:	false
SSDEEP:	192:/CjMXq0fcbhbVbTbfbRbObtbyEl7nUrpJA6WnSrDtTUd/SkDrm:/CY7cNhnzFSJ0rEBnSrDhUd/Q
MD5:	80D022EF83C65BA8C831B924A8F863E5
SHA1:	F04B6A4533919AA0A947EE049A10D0C5894B3F96
SHA-256:	9EF32673005E3A1AE9D76A7D42B39F974E4C476E6185F3D7BA59F360BFD0D933
SHA-512:	68B5305A5CBCFE175F3D18C898A52DCEB8012197C26FD501AA3F7E6DCB8BB90E83E391F4319BF14999A7840F2BE7CAA9E6561F9B6E0FB2C5545ABB02B18CAF09
Malicious:	false
Preview:	{"type":"uninstall","id":"ff1f7eb9-5de2-4d4f-83a1-e15ddb28d979","creationDate":"2024-10-25T10:32:30.513Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925987390709697
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL1Z88P:8S+OBIUjOdwiOdYVjjwL1Z88P
MD5:	FE812EE5981E3934E385F65D21A13DFB
SHA1:	BE8AF5B5B7E2EB624A0E8B93C4735A7323562419
SHA-256:	5CCF8A3CBAF43433B068DFDAF070FCD2B460C0A56481F2190CF9CC3B3CD243A2
SHA-512:	3911417B8FC53A6A1D68AFA6041365E0CDCD444156E7F6AF9C73B03F98A43198E68B2A1487554CB1109B29AD930F083357F6F80E8CE1ADFF8090D7481EBA4335
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925987390709697
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL1Z88P:8S+OBIUjOdwiOdYVjjwL1Z88P
MD5:	FE812EE5981E3934E385F65D21A13DFB
SHA1:	BE8AF5B5B7E2EB624A0E8B93C4735A7323562419
SHA-256:	5CCF8A3CBAF43433B068DFDAF070FCD2B460C0A56481F2190CF9CC3B3CD243A2
SHA-512:	3911417B8FC53A6A1D68AFA6041365E0CDCD444156E7F6AF9C73B03F98A43198E68B2A1487554CB1109B29AD930F083357F6F80E8CE1ADFF8090D7481EBA4335
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07334482014949602
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkip:DLhesh7Owd4+ji
MD5:	ACCDB5CD70A778139761438E29CFF4E8
SHA1:	66B26E5622D942E1214E2593A37BEC3F8D78FC28
SHA-256:	CB0D2F802A957AF4A799FA3F7BD4BFE83B66DE00804DA5ACF60C04957E0AF556
SHA-512:	FC7FEE30FC8718EDF89E8DE60BD810F559E87985625B5732E6CE476DE24F6E416DE0D42D1E868E54155D7B9E6989E90AB648F148BD4423D5FA9B0D1118A07B77
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035822017202226504
Encrypted:	false
SSDEEP:	3:GtlstF+Rq+UAuy9rlIl/tlstF+Rq+UAuy9r/lx89//alEl:GtWt8wluhSttWt8wluh789XuM
MD5:	E10A23571B5A3EE4CD32BC84226A9EEE
SHA1:	5028682B9541559294BE9F0D6DEF263C8F6C6A33
SHA-256:	969B76405A78AD0BF5108EC59E28CBB9B0CAC26B29561F244D09661B1B2203B5
SHA-512:	D82B14F93EF043B62F92F5391CE913F9261E24D5B63B23A477CCE68E3D40E9083164268FBBD7D72419AA4B3DD983D58D031589953007098F3E81454FBE8EEA9D
Malicious:	false
Preview:	..-.....................)..y.8.$....5eK..9..?._...-.....................)..y.8.$....5eK..9..?._.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.04010304634033313
Encrypted:	false
SSDEEP:	3:Ol17upkGfE9eQLkGPl8rEXsxdwhml8XW3R2:K+Qwil8dMhm93w
MD5:	A858918413FB62E8D429B285ACE5CFBD
SHA1:	9470CDE5272A195C25D55A2DA9AD14FD33AEAF30
SHA-256:	8A8354A804263F1DD1CB6D73BE3475FCEAF0173FF74AF2759BDE8BF01356F683
SHA-512:	BD65BCB1C2EF5E77983F345901CFB51C42BDCC962C2EA866EEFCC7CBC70B743A9B11D46652940DE2AF73A6AFC66E5B37B1986AA41A7F816E1574B41327C14CC3
Malicious:	false
Preview:	7....-..............5eK..v.................5eK.y..)$.8.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49443022541521
Encrypted:	false
SSDEEP:	192:DnaRtLYbBp6xhj4qyaaX+6Ka2NlxP5RfGNBw8d0eSl:me/qmty3Dcw80
MD5:	178C32AFB4741B6D8EE78F6FB9648612
SHA1:	828E079194D400FF0A7E9D6749AA7ABFAF7FEBB4
SHA-256:	01BE68E2E0ACC42ED9AABA112F4ECEA9B42FB0C317F0229BE0CFB0C066B33D9E
SHA-512:	5A22119D06355E29A82F9F13BF4E72741BF882BB0CAA7F2E671B29F6986DB4A7DA478067E01D726468310BA9CAA740EF8E811CF5DEC36923A3BB18E39CFC163C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729852320);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729852320);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729852320);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172985

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49443022541521
Encrypted:	false
SSDEEP:	192:DnaRtLYbBp6xhj4qyaaX+6Ka2NlxP5RfGNBw8d0eSl:me/qmty3Dcw80
MD5:	178C32AFB4741B6D8EE78F6FB9648612
SHA1:	828E079194D400FF0A7E9D6749AA7ABFAF7FEBB4
SHA-256:	01BE68E2E0ACC42ED9AABA112F4ECEA9B42FB0C317F0229BE0CFB0C066B33D9E
SHA-512:	5A22119D06355E29A82F9F13BF4E72741BF882BB0CAA7F2E671B29F6986DB4A7DA478067E01D726468310BA9CAA740EF8E811CF5DEC36923A3BB18E39CFC163C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729852320);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729852320);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729852320);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172985

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\51df852c-0a32-4424-8e8a-235582f764ff (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.966956317848903
Encrypted:	false
SSDEEP:	12:YZFg7gIiJzPyPIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YFIrPSlCOlZGV1AQIWZcy6Z2d
MD5:	CC96293682190369CEA7641225BEBC34
SHA1:	46AC3E7B1FE0146C8C7191FFF082A458F589E727
SHA-256:	1213B332D4C5617018B4B08F68D439404F2349C7367D003701C11F5EC69EE76B
SHA-512:	4724E50C5E97C7D3DC9D9C031320A9B8F945038E3EBDCA8F46B0C88BB622DE9405A1DAC384C8EEA9CB300149FB9B7B4E30B94F20D72EA686CEFDCFAF775026A8
Malicious:	false
Preview:	{"type":"health","id":"51df852c-0a32-4424-8e8a-235582f764ff","creationDate":"2024-10-25T10:32:31.179Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\51df852c-0a32-4424-8e8a-235582f764ff.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.966956317848903
Encrypted:	false
SSDEEP:	12:YZFg7gIiJzPyPIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YFIrPSlCOlZGV1AQIWZcy6Z2d
MD5:	CC96293682190369CEA7641225BEBC34
SHA1:	46AC3E7B1FE0146C8C7191FFF082A458F589E727
SHA-256:	1213B332D4C5617018B4B08F68D439404F2349C7367D003701C11F5EC69EE76B
SHA-512:	4724E50C5E97C7D3DC9D9C031320A9B8F945038E3EBDCA8F46B0C88BB622DE9405A1DAC384C8EEA9CB300149FB9B7B4E30B94F20D72EA686CEFDCFAF775026A8
Malicious:	false
Preview:	{"type":"health","id":"51df852c-0a32-4424-8e8a-235582f764ff","creationDate":"2024-10-25T10:32:31.179Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	6.328124125449759
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS8j2LXnIghW/pnxQwRlszT5sKt0V3eHVQj6TMamhujJlOsIomNVr02:GUpOxD2YnR6a3eHTM4JlIq4w4
MD5:	46C41DA67662ADFEF5B9C1717CEB8522
SHA1:	89B6A1D3870B412E11E74EC382A299DF9A6D5F74
SHA-256:	FBA3E68CDD6E0AD6AD2238EA94A90A8CCACCE9C13C10E784FCB9DAA19CC3BB1D
SHA-512:	33D0CB4773AD007D19D67100E4A239C43F5B47BB8A1D38D405475DACAFE248735870BE96798424998A07A2F1C5B6819B2B748C02BEB20FA40A03D4DCB2BED5D4
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{cec470cf-f3ae-4f4e-b1d3-769023eb5c3c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729852327115,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`290125...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....295650,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	6.328124125449759
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS8j2LXnIghW/pnxQwRlszT5sKt0V3eHVQj6TMamhujJlOsIomNVr02:GUpOxD2YnR6a3eHTM4JlIq4w4
MD5:	46C41DA67662ADFEF5B9C1717CEB8522
SHA1:	89B6A1D3870B412E11E74EC382A299DF9A6D5F74
SHA-256:	FBA3E68CDD6E0AD6AD2238EA94A90A8CCACCE9C13C10E784FCB9DAA19CC3BB1D
SHA-512:	33D0CB4773AD007D19D67100E4A239C43F5B47BB8A1D38D405475DACAFE248735870BE96798424998A07A2F1C5B6819B2B748C02BEB20FA40A03D4DCB2BED5D4
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{cec470cf-f3ae-4f4e-b1d3-769023eb5c3c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729852327115,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`290125...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....295650,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	6.328124125449759
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS8j2LXnIghW/pnxQwRlszT5sKt0V3eHVQj6TMamhujJlOsIomNVr02:GUpOxD2YnR6a3eHTM4JlIq4w4
MD5:	46C41DA67662ADFEF5B9C1717CEB8522
SHA1:	89B6A1D3870B412E11E74EC382A299DF9A6D5F74
SHA-256:	FBA3E68CDD6E0AD6AD2238EA94A90A8CCACCE9C13C10E784FCB9DAA19CC3BB1D
SHA-512:	33D0CB4773AD007D19D67100E4A239C43F5B47BB8A1D38D405475DACAFE248735870BE96798424998A07A2F1C5B6819B2B748C02BEB20FA40A03D4DCB2BED5D4
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{cec470cf-f3ae-4f4e-b1d3-769023eb5c3c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729852327115,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`290125...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....295650,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032922463839227
Encrypted:	false
SSDEEP:	48:YrSAYV6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycVyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	5B30F553733CCAE271B1BF148C8CAFF5
SHA1:	3EA755212326BE8731958D3520C9BD3C1E585CA8
SHA-256:	3DE09D60AC9ACDCE9B07966F75F66BBA9B5081012AE34E5E24BCC995B7A5206A
SHA-512:	7E1CD8022EDE7F0F5D12956CC53EF417BF5F4FD7A0F2FDF65AA875B7597DAE3745EED9982FC3C0437FB6E824EDD75AE689C387583EE6904FFEBADB12879336AC
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T10:31:42.227Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032922463839227
Encrypted:	false
SSDEEP:	48:YrSAYV6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycVyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	5B30F553733CCAE271B1BF148C8CAFF5
SHA1:	3EA755212326BE8731958D3520C9BD3C1E585CA8
SHA-256:	3DE09D60AC9ACDCE9B07966F75F66BBA9B5081012AE34E5E24BCC995B7A5206A
SHA-512:	7E1CD8022EDE7F0F5D12956CC53EF417BF5F4FD7A0F2FDF65AA875B7597DAE3745EED9982FC3C0437FB6E824EDD75AE689C387583EE6904FFEBADB12879336AC
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T10:31:42.227Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584662441200419
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	81179973941258193a072d65b533706c
SHA1:	18004cce2e025df386dafca9c5107e73fb42c131
SHA256:	2a4ad8fc9e9ca97ede614b35ffff9a4262edfe15e9122f56a03f1ca526be22af
SHA512:	af7dccdd03ce146859aa748a6f6c1c1327ae005af2054af231a973c220f95f1b154dea4893020450a76c625717e8be83c5ced9737c8971ad43f0c6a0bbadd045
SSDEEP:	12288:NqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TZ:NqDEvCTbMWu7rQYlBQcBiT6rprG8abZ
TLSH:	E7159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671B5E5B [Fri Oct 25 09:01:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F0CC88233B3h
jmp 00007F0CC8822CBFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0CC8822E9Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0CC8822E6Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F0CC8825A5Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F0CC8825AA8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F0CC8825A91h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	6d332493300a14ff890739ca7bd38f28	False	0.315565664556962	data	5.373248943240726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 11:17:15.403372049 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:15.403470039 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:15.403636932 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:15.409312963 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:15.409354925 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:16.087987900 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:16.088082075 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:16.107506990 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:16.107553959 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:16.107636929 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:16.108208895 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:16.108285904 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:17.204200983 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:17.210915089 CEST	80	49738	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:17.225869894 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:17.228435040 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:17.234298944 CEST	80	49738	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:17.833723068 CEST	80	49738	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:17.856787920 CEST	49739	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:17.856847048 CEST	443	49739	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:17.868290901 CEST	49739	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:17.869688988 CEST	49739	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:17.869710922 CEST	443	49739	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:17.886962891 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:17.988954067 CEST	49740	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:17.989041090 CEST	443	49740	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:17.995151043 CEST	49740	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:17.996515989 CEST	49740	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:17.996555090 CEST	443	49740	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:18.219192982 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:18.224577904 CEST	80	49741	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:18.225606918 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:18.226114035 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:18.231448889 CEST	80	49741	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:18.514107943 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:18.514190912 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:18.514321089 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:18.515531063 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:18.515571117 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:18.526515007 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:18.526531935 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:18.527148962 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:18.528424978 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:18.528438091 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:18.542933941 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:18.542941093 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:18.546140909 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:18.546286106 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:18.546291113 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:18.668392897 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:18.668473959 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:18.668560028 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:18.668699026 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:18.668726921 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:18.724972963 CEST	443	49739	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:18.725020885 CEST	443	49739	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:18.725321054 CEST	49739	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:18.726001978 CEST	443	49739	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:18.726850986 CEST	49739	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:18.732564926 CEST	49739	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:18.732594967 CEST	443	49739	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:18.732692003 CEST	49739	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:18.732875109 CEST	443	49739	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:18.732925892 CEST	49739	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:18.814637899 CEST	80	49741	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:18.858551979 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:19.029803991 CEST	443	49740	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.031227112 CEST	443	49740	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.034894943 CEST	49740	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.034926891 CEST	443	49740	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.039107084 CEST	49740	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.039128065 CEST	443	49740	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.039242983 CEST	49740	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.039305925 CEST	443	49740	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.039664030 CEST	49748	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.039712906 CEST	443	49748	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.041367054 CEST	49740	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.041448116 CEST	49748	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.042907000 CEST	49748	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.042933941 CEST	443	49748	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.154933929 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.155318022 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.156757116 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.158447981 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.162429094 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.162441015 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.162533998 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.162704945 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.162880898 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.162952900 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.163398027 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:19.165019989 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.165074110 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.165102005 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.165312052 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.167071104 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.167129040 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.167200089 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:19.168669939 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.168708086 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.168843031 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.171890974 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:19.171906948 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:19.172575951 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:19.174514055 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:19.174582005 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:19.174913883 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:19.174974918 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:19.248671055 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:19.248712063 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:19.254688978 CEST	80	49741	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:19.255574942 CEST	80	49738	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:19.259764910 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:19.259780884 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:19.303199053 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.306755066 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.309834003 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.309853077 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.310287952 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.311995029 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.312099934 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.312207937 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.312455893 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.312495947 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.315363884 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.315383911 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.315418959 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.315836906 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.315855980 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.781941891 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.782022953 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.786109924 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.786130905 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.786178112 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.786395073 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:19.786705017 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:19.914330006 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.914494038 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.917454958 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.917484045 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.917583942 CEST	443	49748	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.917817116 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.917872906 CEST	49748	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.920104027 CEST	443	49748	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.920346975 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.920418024 CEST	49748	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.920418978 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.920516014 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 25, 2024 11:17:19.920583010 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 25, 2024 11:17:19.924084902 CEST	49748	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.924101114 CEST	443	49748	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.924236059 CEST	49748	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:19.924387932 CEST	443	49748	172.217.18.110	192.168.2.4
Oct 25, 2024 11:17:19.925020933 CEST	49748	443	192.168.2.4	172.217.18.110
Oct 25, 2024 11:17:20.297941923 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:20.303428888 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:20.304754019 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:20.304909945 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:20.310569048 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:20.439129114 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:20.439188004 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:20.446021080 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:20.447587013 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:20.447612047 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:20.511945963 CEST	49754	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:20.512027979 CEST	443	49754	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:20.515045881 CEST	49754	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:20.516665936 CEST	49754	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:20.516704082 CEST	443	49754	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:20.820127010 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:20.820209026 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:20.821064949 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:20.831577063 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:20.831610918 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:20.831969976 CEST	49756	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:20.831998110 CEST	443	49756	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:20.832118034 CEST	49756	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:20.833479881 CEST	49756	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:20.833489895 CEST	443	49756	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:20.900856018 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:20.947412968 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.055913925 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:21.055953026 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:21.055995941 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:21.064315081 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:21.064337015 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:21.064398050 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:21.064557076 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 25, 2024 11:17:21.078480959 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.078979969 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 25, 2024 11:17:21.083924055 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:21.088851929 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.089037895 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.094378948 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:21.113169909 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.118498087 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:21.134813070 CEST	443	49754	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:21.147350073 CEST	443	49754	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:21.148039103 CEST	49754	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:21.157732010 CEST	49754	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:21.159492970 CEST	49754	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:21.159507990 CEST	443	49754	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:21.159564018 CEST	49754	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:21.160084963 CEST	443	49754	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:21.163664103 CEST	49754	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:21.238234997 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:21.279536009 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.440182924 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:21.440273046 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:21.442967892 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:21.442996979 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:21.443351984 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:21.446074009 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:21.446135998 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:21.446258068 CEST	443	49755	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:21.446316957 CEST	49755	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:21.461812019 CEST	443	49756	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:21.461884022 CEST	49756	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:21.466629028 CEST	49756	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:21.466639042 CEST	443	49756	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:21.466706991 CEST	49756	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:21.466828108 CEST	443	49756	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:21.467082977 CEST	49756	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:21.610320091 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.616415977 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:21.616638899 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.623869896 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:21.623964071 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:21.627440929 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:21.628742933 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:21.628819942 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:21.691076994 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.696499109 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:21.696938038 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.697078943 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:21.702441931 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:22.244965076 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:22.247111082 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.251527071 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.251540899 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:22.251660109 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.251805067 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:22.252036095 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.252074957 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:22.253619909 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.253650904 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.255003929 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.255022049 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:22.301940918 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:22.347378016 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:22.868519068 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:22.868609905 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.872344017 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.872370958 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:22.872414112 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:22.872631073 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:22.872766018 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:25.817199945 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:25.822700977 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:25.853393078 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:25.853446007 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:25.855262041 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:25.856869936 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:25.856889963 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:25.868289948 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:25.868376970 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:25.872148991 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:25.872306108 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:25.872340918 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:25.942280054 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:25.997375965 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:26.462485075 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:26.471369028 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:26.473746061 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:26.473792076 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:26.478921890 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:26.480199099 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:26.686413050 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:26.686456919 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:26.687298059 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:26.728111029 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:26.728132010 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:26.728228092 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:26.728627920 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:26.728698015 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:26.728768110 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:26.729038000 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:26.730611086 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:26.730652094 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:32.187908888 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:32.187993050 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:32.192434072 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:32.309751034 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:32.315232992 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:32.754899979 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:32.754950047 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:33.161608934 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:33.167057991 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:33.288420916 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:33.343964100 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:33.552464008 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:33.552517891 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:33.560385942 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:33.560559034 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:33.563328981 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:33.563364029 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:33.563779116 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:33.565990925 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:33.566081047 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:33.566200972 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:33.566348076 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:33.648602009 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:33.650120020 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:33.650147915 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:33.654324055 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:33.655772924 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:33.657116890 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:33.657135010 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:33.739275932 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:33.739325047 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:33.740278006 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:33.741729021 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:33.741746902 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:33.773802042 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:33.814261913 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:34.274054050 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:34.275523901 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:34.356875896 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:34.357326984 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:34.948168993 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:34.951981068 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:34.951998949 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:34.952074051 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:34.952564001 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 25, 2024 11:17:34.952764034 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:34.952780962 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:34.952908039 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:34.953444004 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:34.953653097 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:34.965712070 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:17:34.965734959 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:34.984006882 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:34.989437103 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:35.074857950 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:35.108731031 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:35.112282038 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:35.117686033 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:35.153039932 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:35.239187002 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:35.291106939 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:42.292958021 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:42.299443960 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:42.418932915 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:42.422574997 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:42.427984953 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:42.468885899 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:42.551220894 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:42.607069016 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:43.968409061 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:43.968470097 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:43.973383904 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:43.973607063 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:43.973640919 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.046278000 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.046303988 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:44.049537897 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.049683094 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.049699068 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:44.059226990 CEST	49775	443	192.168.2.4	151.101.193.91
Oct 25, 2024 11:17:44.059267044 CEST	443	49775	151.101.193.91	192.168.2.4
Oct 25, 2024 11:17:44.073760033 CEST	49775	443	192.168.2.4	151.101.193.91
Oct 25, 2024 11:17:44.074656010 CEST	49775	443	192.168.2.4	151.101.193.91
Oct 25, 2024 11:17:44.074675083 CEST	443	49775	151.101.193.91	192.168.2.4
Oct 25, 2024 11:17:44.096734047 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:44.096752882 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:44.107656002 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:44.112768888 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:44.112782001 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:44.113166094 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 25, 2024 11:17:44.113212109 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 25, 2024 11:17:44.127099991 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 25, 2024 11:17:44.128586054 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 25, 2024 11:17:44.128599882 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 25, 2024 11:17:44.593170881 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.593269110 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.596415997 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.596462011 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.597225904 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.599301100 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.599387884 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.599495888 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.599944115 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.603434086 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:44.608912945 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:44.675208092 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:44.675293922 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.678364038 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.678376913 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:44.678855896 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:44.680603981 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.680682898 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.680780888 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:44.688833952 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.688949108 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.695477009 CEST	443	49775	151.101.193.91	192.168.2.4
Oct 25, 2024 11:17:44.695496082 CEST	443	49775	151.101.193.91	192.168.2.4
Oct 25, 2024 11:17:44.696414948 CEST	49775	443	192.168.2.4	151.101.193.91
Oct 25, 2024 11:17:44.699847937 CEST	49775	443	192.168.2.4	151.101.193.91
Oct 25, 2024 11:17:44.699860096 CEST	443	49775	151.101.193.91	192.168.2.4
Oct 25, 2024 11:17:44.700262070 CEST	443	49775	151.101.193.91	192.168.2.4
Oct 25, 2024 11:17:44.702579021 CEST	49775	443	192.168.2.4	151.101.193.91
Oct 25, 2024 11:17:44.702579021 CEST	49775	443	192.168.2.4	151.101.193.91
Oct 25, 2024 11:17:44.702775955 CEST	443	49775	151.101.193.91	192.168.2.4
Oct 25, 2024 11:17:44.708630085 CEST	49775	443	192.168.2.4	151.101.193.91
Oct 25, 2024 11:17:44.710331917 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.710376024 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.710819006 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.710916042 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.710954905 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.713021040 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.713047981 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.713294029 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.713361979 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.713375092 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.715512991 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.715584040 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.715759039 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.715856075 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:44.715883017 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:44.728594065 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:44.730942011 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:44.733602047 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:44.733618021 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:44.733704090 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:44.736355066 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:44.737823963 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:44.737828016 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:44.737905025 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:44.738014936 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 25, 2024 11:17:44.738646984 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 25, 2024 11:17:44.738677979 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 25, 2024 11:17:44.738707066 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 25, 2024 11:17:44.738769054 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 25, 2024 11:17:44.740588903 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:44.743103981 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 25, 2024 11:17:44.743117094 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 25, 2024 11:17:44.743181944 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 25, 2024 11:17:44.743249893 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 25, 2024 11:17:44.743742943 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 25, 2024 11:17:44.746004105 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:44.754131079 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.754163980 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:44.754239082 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.754329920 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:44.754344940 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:44.857950926 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:44.866765976 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:44.870857954 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:44.877613068 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:44.913739920 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:44.980798006 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:44.980814934 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:44.980884075 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:44.982310057 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:44.982316971 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:44.998898983 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:45.045295954 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:45.314860106 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.315077066 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.318178892 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.318188906 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.318506002 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.320811987 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.320811987 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.320987940 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.321099997 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.325067043 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:45.330455065 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:45.335048914 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.335138083 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.337810040 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.337832928 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.338592052 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.339505911 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.339576006 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.342010021 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.342019081 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.342328072 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.342708111 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.342766047 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.342874050 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.343452930 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.345031023 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.345096111 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.345199108 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 11:17:45.345629930 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 11:17:45.373843908 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:45.373929024 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:45.376880884 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:45.376892090 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:45.377208948 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:45.379422903 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:45.379498005 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:45.379595995 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 25, 2024 11:17:45.380119085 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 25, 2024 11:17:45.449770927 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:45.452783108 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:45.458374977 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:45.493349075 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:45.579586983 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:45.579744101 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:45.579956055 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:45.584321976 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:45.584327936 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:45.584397078 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:45.584461927 CEST	443	49782	34.107.243.93	192.168.2.4
Oct 25, 2024 11:17:45.585280895 CEST	49782	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:17:45.586992025 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:45.592272043 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:45.631386995 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:45.711479902 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:45.714560032 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:45.719855070 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:45.763068914 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:45.841569901 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:45.894470930 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:55.725702047 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:55.731096983 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:17:55.857299089 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:17:55.862715960 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:05.590409994 CEST	49836	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:05.590493917 CEST	443	49836	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:05.590713024 CEST	49836	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:05.592098951 CEST	49836	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:05.592124939 CEST	443	49836	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:05.732712984 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:05.738230944 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:05.864247084 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:05.869858980 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:06.207102060 CEST	443	49836	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:06.207248926 CEST	49836	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:06.211837053 CEST	49836	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:06.211870909 CEST	443	49836	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:06.211930990 CEST	49836	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:06.212119102 CEST	443	49836	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:06.212183952 CEST	49836	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:06.214560986 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:06.222532034 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:06.349036932 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:06.352015972 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:06.358020067 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:06.403500080 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:06.479563951 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:06.535015106 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:14.117516994 CEST	49882	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.117533922 CEST	443	49882	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.117654085 CEST	49883	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.117681026 CEST	443	49883	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.117779016 CEST	49884	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.117821932 CEST	443	49884	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.118026972 CEST	49882	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.118201017 CEST	49882	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.118206024 CEST	49883	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.118207932 CEST	443	49882	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.118211985 CEST	49884	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.118321896 CEST	49884	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.118351936 CEST	443	49884	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.118396997 CEST	49883	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.118407011 CEST	443	49883	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.729401112 CEST	443	49882	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.729477882 CEST	49882	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.733036995 CEST	49882	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.733043909 CEST	443	49882	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.733365059 CEST	443	49882	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.735831022 CEST	49882	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.735945940 CEST	49882	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.736041069 CEST	443	49882	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.736095905 CEST	49882	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.738475084 CEST	443	49883	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.738549948 CEST	49883	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.741200924 CEST	443	49884	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.741713047 CEST	49883	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.741719007 CEST	443	49883	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.741893053 CEST	49884	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.742037058 CEST	443	49883	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.744564056 CEST	49884	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.744579077 CEST	443	49884	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.745007038 CEST	443	49884	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.748147011 CEST	49883	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.748250008 CEST	49883	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.748339891 CEST	443	49883	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.748346090 CEST	49884	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.748450994 CEST	49884	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.748538971 CEST	49883	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.748794079 CEST	443	49884	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.748859882 CEST	49884	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.806133986 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:14.807944059 CEST	49890	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.807972908 CEST	443	49890	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.811496019 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:14.812688112 CEST	49890	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.812999010 CEST	49890	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.813014030 CEST	443	49890	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.852365017 CEST	49891	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.852405071 CEST	443	49891	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.859554052 CEST	49891	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.859850883 CEST	49891	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.859880924 CEST	443	49891	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.872849941 CEST	49892	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.872915983 CEST	443	49892	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.875186920 CEST	49892	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.875644922 CEST	49892	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.875677109 CEST	443	49892	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.924025059 CEST	49893	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.924053907 CEST	443	49893	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.924920082 CEST	49893	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.925020933 CEST	49893	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:14.925036907 CEST	443	49893	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:14.931158066 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:14.965065002 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:14.970504999 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:14.991055012 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:15.098893881 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:15.148883104 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:15.413985968 CEST	443	49890	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.414099932 CEST	49890	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.417262077 CEST	49890	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.417275906 CEST	443	49890	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.417618990 CEST	443	49890	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.419522047 CEST	49890	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.419634104 CEST	49890	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.419730902 CEST	443	49890	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.419794083 CEST	49890	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.423263073 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:15.428661108 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:15.476123095 CEST	443	49891	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.476140976 CEST	443	49891	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.476393938 CEST	49891	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.479196072 CEST	49891	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.479202986 CEST	443	49891	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.479526997 CEST	443	49891	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.481662989 CEST	49891	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.481662989 CEST	49891	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.481848001 CEST	443	49891	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.482245922 CEST	49891	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.487925053 CEST	443	49892	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.488035917 CEST	49892	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.490958929 CEST	49892	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.490977049 CEST	443	49892	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.491483927 CEST	443	49892	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.493196964 CEST	49892	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.493282080 CEST	49892	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.493392944 CEST	443	49892	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.493453979 CEST	49892	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.548765898 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:15.549864054 CEST	443	49893	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.550429106 CEST	49893	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.553462982 CEST	49893	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.553479910 CEST	443	49893	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.553811073 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:15.553944111 CEST	443	49893	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.556449890 CEST	49893	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.556449890 CEST	49893	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.556638956 CEST	443	49893	34.120.208.123	192.168.2.4
Oct 25, 2024 11:18:15.556782007 CEST	49893	443	192.168.2.4	34.120.208.123
Oct 25, 2024 11:18:15.559061050 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:15.559709072 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:15.565449953 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:15.680604935 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:15.685199976 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:15.687920094 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:15.693269014 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:15.732980967 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:15.814676046 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:15.870168924 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:25.693193913 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:25.698710918 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:25.815620899 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:25.821017981 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:35.709820986 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:35.715267897 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:35.841201067 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:35.846604109 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:45.720674038 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:45.726032019 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:45.852220058 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:45.857633114 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:46.688689947 CEST	50058	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:46.688728094 CEST	443	50058	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:46.688946962 CEST	50058	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:46.690484047 CEST	50058	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:46.690502882 CEST	443	50058	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:47.298444986 CEST	443	50058	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:47.298523903 CEST	50058	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:47.305505991 CEST	50058	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:47.305525064 CEST	443	50058	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:47.305646896 CEST	50058	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:47.305690050 CEST	443	50058	34.107.243.93	192.168.2.4
Oct 25, 2024 11:18:47.306411982 CEST	50058	443	192.168.2.4	34.107.243.93
Oct 25, 2024 11:18:47.308374882 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:47.313779116 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:47.433135986 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:47.436893940 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:47.442193031 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:47.479161024 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:47.563728094 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:47.610661030 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:57.438992977 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:57.444396973 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:18:57.570559025 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:18:57.577193975 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:19:07.458340883 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:19:07.464005947 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:19:07.590013027 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:19:07.595336914 CEST	80	49759	34.107.221.82	192.168.2.4
Oct 25, 2024 11:19:17.474381924 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:19:17.479846001 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 25, 2024 11:19:17.605895042 CEST	49759	80	192.168.2.4	34.107.221.82
Oct 25, 2024 11:19:17.611386061 CEST	80	49759	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 11:17:15.403647900 CEST	56595	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:15.411082983 CEST	53	56595	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:15.421010971 CEST	54668	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:15.428391933 CEST	53	54668	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:16.185121059 CEST	63242	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:16.473839045 CEST	49893	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:16.484864950 CEST	53	49893	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:16.485522032 CEST	59703	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:16.492990017 CEST	53	59703	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:17.840965986 CEST	61041	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:17.849215031 CEST	53	61041	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:17.857430935 CEST	64443	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:17.864631891 CEST	53	64443	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:17.869092941 CEST	52147	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:17.876823902 CEST	53	52147	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:17.987432957 CEST	57848	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.166433096 CEST	53	57848	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.201281071 CEST	56958	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.210074902 CEST	56993	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.211353064 CEST	53	56958	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.501569033 CEST	59528	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.511935949 CEST	53	59528	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.514265060 CEST	51206	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.516016006 CEST	57962	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.522766113 CEST	53	51206	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.523303032 CEST	65415	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.525087118 CEST	53	57962	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.526949883 CEST	51178	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.534059048 CEST	53	65415	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.535146952 CEST	53	51178	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.543332100 CEST	57765	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.550664902 CEST	56696	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.553520918 CEST	53	57765	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.558298111 CEST	52265	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.559863091 CEST	53	56696	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.566982031 CEST	53	52265	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.659900904 CEST	65166	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.667589903 CEST	53	65166	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.668514013 CEST	62825	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.677164078 CEST	53	62825	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.677661896 CEST	54681	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.686300039 CEST	53	54681	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:18.821597099 CEST	60540	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:18.855411053 CEST	53	56319	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:20.435215950 CEST	49506	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:20.442569017 CEST	53	49506	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:20.463056087 CEST	51096	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:20.470465899 CEST	53	51096	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:20.471352100 CEST	61093	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:20.480124950 CEST	53	61093	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:20.822155952 CEST	57217	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:20.830064058 CEST	53	57217	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:20.830574036 CEST	59236	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:20.838479042 CEST	53	59236	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:21.604202986 CEST	63456	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:21.612575054 CEST	53	63456	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:21.624505043 CEST	64136	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:21.633095026 CEST	53	64136	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:21.633665085 CEST	62800	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:21.640993118 CEST	53	62800	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:25.826009989 CEST	57125	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:25.828917980 CEST	64945	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:25.833823919 CEST	53	57125	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:25.836443901 CEST	53	64945	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:25.854527950 CEST	64936	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:25.862970114 CEST	53	64936	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:25.881474972 CEST	54359	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:25.889529943 CEST	53	54359	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:32.188915968 CEST	51713	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:32.197124958 CEST	53	51713	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:33.199680090 CEST	63623	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:33.207293034 CEST	53	63623	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:33.208277941 CEST	64139	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:33.216348886 CEST	53	64139	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:36.981451988 CEST	53336	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:36.981888056 CEST	59412	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:36.982273102 CEST	53864	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:36.988701105 CEST	53	53336	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:36.989403009 CEST	53	53864	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:36.989595890 CEST	53	59412	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:36.989646912 CEST	57678	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:36.990283012 CEST	55436	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:36.990641117 CEST	57844	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:36.996870041 CEST	53	57678	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:36.997375011 CEST	59601	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:36.998085022 CEST	53	57844	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:36.998203993 CEST	53	55436	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:36.998572111 CEST	64304	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:36.998711109 CEST	61344	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:37.005532026 CEST	53	59601	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:37.005705118 CEST	53	64304	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:37.006051064 CEST	54621	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:37.006477118 CEST	64287	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:37.006690979 CEST	53	61344	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:37.014024019 CEST	53	54621	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:37.014774084 CEST	57750	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:37.015140057 CEST	53	64287	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:37.015710115 CEST	59557	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:37.022108078 CEST	53	57750	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:37.023089886 CEST	53	59557	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:37.025455952 CEST	65528	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:37.025804996 CEST	50091	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:37.032782078 CEST	53	65528	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:37.033857107 CEST	53	50091	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:43.968595028 CEST	49576	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:43.978708029 CEST	53	49576	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:44.041831970 CEST	64817	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:44.050380945 CEST	53	64817	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:44.076663971 CEST	49176	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:44.084255934 CEST	53	49176	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:44.094434977 CEST	63788	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:44.097248077 CEST	62865	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:44.102555990 CEST	53	63788	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:44.104733944 CEST	53	62865	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:44.109055996 CEST	49695	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:44.117218971 CEST	53	49695	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:44.134833097 CEST	50917	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:44.142654896 CEST	53	50917	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:44.980335951 CEST	55673	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:44.989080906 CEST	53	55673	1.1.1.1	192.168.2.4
Oct 25, 2024 11:17:44.990160942 CEST	62563	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:17:44.997906923 CEST	53	62563	1.1.1.1	192.168.2.4
Oct 25, 2024 11:18:05.590579987 CEST	52939	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:18:05.599100113 CEST	53	52939	1.1.1.1	192.168.2.4
Oct 25, 2024 11:18:06.214828968 CEST	62773	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:18:14.115252018 CEST	52221	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:18:14.122772932 CEST	53	52221	1.1.1.1	192.168.2.4
Oct 25, 2024 11:18:46.680280924 CEST	52392	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:18:46.687599897 CEST	53	52392	1.1.1.1	192.168.2.4
Oct 25, 2024 11:18:46.688486099 CEST	63212	53	192.168.2.4	1.1.1.1
Oct 25, 2024 11:18:46.696587086 CEST	53	63212	1.1.1.1	192.168.2.4
Oct 25, 2024 11:18:47.308610916 CEST	55910	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 11:17:15.403647900 CEST	192.168.2.4	1.1.1.1	0xb586	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:15.421010971 CEST	192.168.2.4	1.1.1.1	0x8e69	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 11:17:16.185121059 CEST	192.168.2.4	1.1.1.1	0x6b07	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:16.473839045 CEST	192.168.2.4	1.1.1.1	0x77c0	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:16.485522032 CEST	192.168.2.4	1.1.1.1	0xdcf4	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 11:17:17.840965986 CEST	192.168.2.4	1.1.1.1	0x9e4b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:17.857430935 CEST	192.168.2.4	1.1.1.1	0xadad	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:17.869092941 CEST	192.168.2.4	1.1.1.1	0x2b5	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:17.987432957 CEST	192.168.2.4	1.1.1.1	0xe804	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.201281071 CEST	192.168.2.4	1.1.1.1	0xa4e6	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.210074902 CEST	192.168.2.4	1.1.1.1	0x1f2a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.501569033 CEST	192.168.2.4	1.1.1.1	0xaf71	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.514265060 CEST	192.168.2.4	1.1.1.1	0x1f29	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.516016006 CEST	192.168.2.4	1.1.1.1	0x8773	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.523303032 CEST	192.168.2.4	1.1.1.1	0x841b	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:18.526949883 CEST	192.168.2.4	1.1.1.1	0x82c9	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.543332100 CEST	192.168.2.4	1.1.1.1	0x2f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.550664902 CEST	192.168.2.4	1.1.1.1	0xf537	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 11:17:18.558298111 CEST	192.168.2.4	1.1.1.1	0xcf9b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 11:17:18.659900904 CEST	192.168.2.4	1.1.1.1	0xab55	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.668514013 CEST	192.168.2.4	1.1.1.1	0xe9eb	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.677661896 CEST	192.168.2.4	1.1.1.1	0x7643	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 11:17:18.821597099 CEST	192.168.2.4	1.1.1.1	0xc35b	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:20.435215950 CEST	192.168.2.4	1.1.1.1	0xdf53	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:20.463056087 CEST	192.168.2.4	1.1.1.1	0x300e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:20.471352100 CEST	192.168.2.4	1.1.1.1	0xb348	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:20.822155952 CEST	192.168.2.4	1.1.1.1	0xcaf3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:20.830574036 CEST	192.168.2.4	1.1.1.1	0xd9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:21.604202986 CEST	192.168.2.4	1.1.1.1	0x490	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:21.624505043 CEST	192.168.2.4	1.1.1.1	0x2ccd	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:21.633665085 CEST	192.168.2.4	1.1.1.1	0x58b	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 11:17:25.826009989 CEST	192.168.2.4	1.1.1.1	0xf2	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:25.828917980 CEST	192.168.2.4	1.1.1.1	0x2972	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:25.854527950 CEST	192.168.2.4	1.1.1.1	0xd4e6	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:25.881474972 CEST	192.168.2.4	1.1.1.1	0x7925	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 11:17:32.188915968 CEST	192.168.2.4	1.1.1.1	0x6da0	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:33.199680090 CEST	192.168.2.4	1.1.1.1	0x7533	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:33.208277941 CEST	192.168.2.4	1.1.1.1	0xe4ba	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:36.981451988 CEST	192.168.2.4	1.1.1.1	0xb0f9	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.981888056 CEST	192.168.2.4	1.1.1.1	0xd0e	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.982273102 CEST	192.168.2.4	1.1.1.1	0x6786	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.989646912 CEST	192.168.2.4	1.1.1.1	0xbec2	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.990283012 CEST	192.168.2.4	1.1.1.1	0x8bd0	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.990641117 CEST	192.168.2.4	1.1.1.1	0x78ce	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.997375011 CEST	192.168.2.4	1.1.1.1	0x39ce	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:36.998572111 CEST	192.168.2.4	1.1.1.1	0x9b8b	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:36.998711109 CEST	192.168.2.4	1.1.1.1	0x52ff	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 25, 2024 11:17:37.006051064 CEST	192.168.2.4	1.1.1.1	0x3644	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.006477118 CEST	192.168.2.4	1.1.1.1	0xd7a6	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.014774084 CEST	192.168.2.4	1.1.1.1	0x6339	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.015710115 CEST	192.168.2.4	1.1.1.1	0xfdd	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.025455952 CEST	192.168.2.4	1.1.1.1	0x159c	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:37.025804996 CEST	192.168.2.4	1.1.1.1	0xaafc	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 25, 2024 11:17:43.968595028 CEST	192.168.2.4	1.1.1.1	0xc968	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 11:17:44.041831970 CEST	192.168.2.4	1.1.1.1	0xbf04	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.076663971 CEST	192.168.2.4	1.1.1.1	0xd561	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.094434977 CEST	192.168.2.4	1.1.1.1	0x97c5	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 25, 2024 11:17:44.097248077 CEST	192.168.2.4	1.1.1.1	0xc5c9	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.109055996 CEST	192.168.2.4	1.1.1.1	0x8757	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.134833097 CEST	192.168.2.4	1.1.1.1	0x972c	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:17:44.980335951 CEST	192.168.2.4	1.1.1.1	0xfbfc	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.990160942 CEST	192.168.2.4	1.1.1.1	0x6d36	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:18:05.590579987 CEST	192.168.2.4	1.1.1.1	0xbb0c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:18:06.214828968 CEST	192.168.2.4	1.1.1.1	0x38ab	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:18:14.115252018 CEST	192.168.2.4	1.1.1.1	0x4ed2	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:18:46.680280924 CEST	192.168.2.4	1.1.1.1	0x845e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:18:46.688486099 CEST	192.168.2.4	1.1.1.1	0x318c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 11:18:47.308610916 CEST	192.168.2.4	1.1.1.1	0x11c4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 11:17:15.387634039 CEST	1.1.1.1	192.168.2.4	0x1a1b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:15.411082983 CEST	1.1.1.1	192.168.2.4	0xb586	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:16.472333908 CEST	1.1.1.1	192.168.2.4	0x6b07	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:16.472333908 CEST	1.1.1.1	192.168.2.4	0x6b07	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:16.484864950 CEST	1.1.1.1	192.168.2.4	0x77c0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:16.492990017 CEST	1.1.1.1	192.168.2.4	0xdcf4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 11:17:17.849215031 CEST	1.1.1.1	192.168.2.4	0x9e4b	No error (0)	youtube.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:17.864631891 CEST	1.1.1.1	192.168.2.4	0xadad	No error (0)	youtube.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:17.876823902 CEST	1.1.1.1	192.168.2.4	0x2b5	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 25, 2024 11:17:18.166433096 CEST	1.1.1.1	192.168.2.4	0xe804	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.211353064 CEST	1.1.1.1	192.168.2.4	0xa4e6	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.211353064 CEST	1.1.1.1	192.168.2.4	0xa4e6	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.217788935 CEST	1.1.1.1	192.168.2.4	0x1f2a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:18.217788935 CEST	1.1.1.1	192.168.2.4	0x1f2a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.511935949 CEST	1.1.1.1	192.168.2.4	0xaf71	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.522766113 CEST	1.1.1.1	192.168.2.4	0x1f29	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.525087118 CEST	1.1.1.1	192.168.2.4	0x8773	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:18.525087118 CEST	1.1.1.1	192.168.2.4	0x8773	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.535146952 CEST	1.1.1.1	192.168.2.4	0x82c9	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.540388107 CEST	1.1.1.1	192.168.2.4	0xe0ae	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:18.540388107 CEST	1.1.1.1	192.168.2.4	0xe0ae	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.553520918 CEST	1.1.1.1	192.168.2.4	0x2f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.667589903 CEST	1.1.1.1	192.168.2.4	0xab55	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:18.667589903 CEST	1.1.1.1	192.168.2.4	0xab55	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:18.667589903 CEST	1.1.1.1	192.168.2.4	0xab55	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.677164078 CEST	1.1.1.1	192.168.2.4	0xe9eb	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:18.686300039 CEST	1.1.1.1	192.168.2.4	0x7643	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 11:17:18.830461025 CEST	1.1.1.1	192.168.2.4	0xc35b	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:20.442569017 CEST	1.1.1.1	192.168.2.4	0xdf53	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:20.470465899 CEST	1.1.1.1	192.168.2.4	0x300e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:20.819091082 CEST	1.1.1.1	192.168.2.4	0x3476	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:20.819091082 CEST	1.1.1.1	192.168.2.4	0x3476	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:20.820275068 CEST	1.1.1.1	192.168.2.4	0x8c68	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:20.830064058 CEST	1.1.1.1	192.168.2.4	0xcaf3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:21.612575054 CEST	1.1.1.1	192.168.2.4	0x490	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:21.612575054 CEST	1.1.1.1	192.168.2.4	0x490	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:21.633095026 CEST	1.1.1.1	192.168.2.4	0x2ccd	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:25.826128006 CEST	1.1.1.1	192.168.2.4	0xb972	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:25.833823919 CEST	1.1.1.1	192.168.2.4	0xf2	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:25.833823919 CEST	1.1.1.1	192.168.2.4	0xf2	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:25.833823919 CEST	1.1.1.1	192.168.2.4	0xf2	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:25.862970114 CEST	1.1.1.1	192.168.2.4	0xd4e6	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:33.207293034 CEST	1.1.1.1	192.168.2.4	0x7533	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.988701105 CEST	1.1.1.1	192.168.2.4	0xb0f9	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.989403009 CEST	1.1.1.1	192.168.2.4	0x6786	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:36.989403009 CEST	1.1.1.1	192.168.2.4	0x6786	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.989595890 CEST	1.1.1.1	192.168.2.4	0xd0e	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:36.989595890 CEST	1.1.1.1	192.168.2.4	0xd0e	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.996870041 CEST	1.1.1.1	192.168.2.4	0xbec2	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.998085022 CEST	1.1.1.1	192.168.2.4	0x78ce	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:36.998203993 CEST	1.1.1.1	192.168.2.4	0x8bd0	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.005532026 CEST	1.1.1.1	192.168.2.4	0x39ce	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 11:17:37.005532026 CEST	1.1.1.1	192.168.2.4	0x39ce	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 11:17:37.005532026 CEST	1.1.1.1	192.168.2.4	0x39ce	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 11:17:37.005532026 CEST	1.1.1.1	192.168.2.4	0x39ce	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 11:17:37.005705118 CEST	1.1.1.1	192.168.2.4	0x9b8b	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 25, 2024 11:17:37.006690979 CEST	1.1.1.1	192.168.2.4	0x52ff	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 25, 2024 11:17:37.014024019 CEST	1.1.1.1	192.168.2.4	0x3644	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:37.014024019 CEST	1.1.1.1	192.168.2.4	0x3644	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.014024019 CEST	1.1.1.1	192.168.2.4	0x3644	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.014024019 CEST	1.1.1.1	192.168.2.4	0x3644	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.014024019 CEST	1.1.1.1	192.168.2.4	0x3644	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.015140057 CEST	1.1.1.1	192.168.2.4	0xd7a6	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.022108078 CEST	1.1.1.1	192.168.2.4	0x6339	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.022108078 CEST	1.1.1.1	192.168.2.4	0x6339	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.022108078 CEST	1.1.1.1	192.168.2.4	0x6339	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.022108078 CEST	1.1.1.1	192.168.2.4	0x6339	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:37.023089886 CEST	1.1.1.1	192.168.2.4	0xfdd	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.050380945 CEST	1.1.1.1	192.168.2.4	0xbf04	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.050380945 CEST	1.1.1.1	192.168.2.4	0xbf04	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.050380945 CEST	1.1.1.1	192.168.2.4	0xbf04	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.050380945 CEST	1.1.1.1	192.168.2.4	0xbf04	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.084255934 CEST	1.1.1.1	192.168.2.4	0xd561	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.084255934 CEST	1.1.1.1	192.168.2.4	0xd561	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.084255934 CEST	1.1.1.1	192.168.2.4	0xd561	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.084255934 CEST	1.1.1.1	192.168.2.4	0xd561	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.104733944 CEST	1.1.1.1	192.168.2.4	0xc5c9	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:44.104733944 CEST	1.1.1.1	192.168.2.4	0xc5c9	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.117218971 CEST	1.1.1.1	192.168.2.4	0x8757	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:44.989080906 CEST	1.1.1.1	192.168.2.4	0xfbfc	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:17:45.357244015 CEST	1.1.1.1	192.168.2.4	0x15bc	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:17:45.357244015 CEST	1.1.1.1	192.168.2.4	0x15bc	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:18:06.226871967 CEST	1.1.1.1	192.168.2.4	0x38ab	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:18:06.226871967 CEST	1.1.1.1	192.168.2.4	0x38ab	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:18:14.105957031 CEST	1.1.1.1	192.168.2.4	0x69f0	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:18:46.687599897 CEST	1.1.1.1	192.168.2.4	0x845e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 11:18:47.315726042 CEST	1.1.1.1	192.168.2.4	0x11c4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 11:18:47.315726042 CEST	1.1.1.1	192.168.2.4	0x11c4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	34.107.221.82	80	5264	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 11:17:17.228435040 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:17.833723068 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74843 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	34.107.221.82	80	5264	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 11:17:18.226114035 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:18.814637899 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84145 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49752	34.107.221.82	80	5264	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 11:17:20.304909945 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:20.900856018 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74846 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:21.113169909 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:21.238234997 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74847 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:25.817199945 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:25.942280054 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74851 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:33.648602009 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:33.773802042 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74859 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:34.984006882 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:35.108731031 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74861 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:42.292958021 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:42.418932915 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74868 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:44.603434086 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:44.728594065 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74870 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:44.740588903 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:44.866765976 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74870 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:45.325067043 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:45.449770927 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74871 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:45.586992025 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:17:45.711479902 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74871 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:17:55.725702047 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:05.732712984 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:06.214560986 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:18:06.349036932 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74892 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:18:14.806133986 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:18:14.931158066 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74900 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:18:15.423263073 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:18:15.548765898 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74901 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:18:15.559709072 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:18:15.685199976 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74901 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:18:25.693193913 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:35.709820986 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:45.720674038 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:47.308374882 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 11:18:47.433135986 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 74933 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 11:18:57.438992977 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:19:07.458340883 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:19:17.474381924 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49757	34.107.221.82	80	5264	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 11:17:21.089037895 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49759	34.107.221.82	80	5264	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 11:17:21.697078943 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:22.301940918 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84149 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:32.309751034 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:17:33.161608934 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:33.288420916 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84160 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:33.552464008 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84160 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:34.948168993 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:35.074857950 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84162 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:35.112282038 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:35.239187002 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84162 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:42.422574997 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:42.551220894 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84169 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:44.730942011 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:44.857950926 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84171 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:44.870857954 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:44.998898983 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84171 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:45.452783108 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:45.579586983 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84172 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:45.714560032 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:17:45.841569901 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84172 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:17:55.857299089 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:05.864247084 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:06.352015972 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:18:06.479563951 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84193 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:18:14.965065002 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:18:15.098893881 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84202 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:18:15.553811073 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:18:15.680604935 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84202 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:18:15.687920094 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:18:15.814676046 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84202 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:18:25.815620899 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:35.841201067 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:45.852220058 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:18:47.436893940 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 11:18:47.563728094 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 84234 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 11:18:57.570559025 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:19:07.590013027 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 11:19:17.605895042 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	05:17:08
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x6c0000
File size:	919'552 bytes
MD5 hash:	81179973941258193A072D65B533706C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:17:08
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x630000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:17:08
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:17:10
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x630000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:17:10
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:17:10
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x630000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:17:10
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:17:11
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x630000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:17:11
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:17:11
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x630000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:17:11
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:17:11
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:17:11
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:17:11
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	05:17:12
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b841c54-9063-4cde-bece-834a3cb9db18} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24cd016d510 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	05:17:14
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4128 -parentBuildID 20230927232528 -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4cd9f1b-c0c4-4422-89cd-b29c88cba1c3} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24ce0d91210 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	05:17:19
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5324 -prefMapHandle 1540 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1599c2d0-7688-43fa-a3dd-8a8d1812e970} 5264 "\\.\pipe\gecko-crash-server-pipe.5264" 24ce175b710 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1552
Total number of Limit Nodes:	66

Executed Functions

Function 006C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006C430D

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

GetCurrentProcess.KERNEL32(?,0075CB64,00000000,?,?), ref: 006C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006C44A0

Strings

GetNativeSystemInfo, xrefs: 006C4460
kernel32.dll, xrefs: 006C444F
|O, xrefs: 007036F8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 30b74a0290120210353925b2f932c93c3df2cf77a6fa66d31c483d7240a0c085
Instruction ID: a9a8cd5a7ce82a5437a2a74a02e437db84dfddc3ce94df8be3eb07dc3fe56268
Opcode Fuzzy Hash: 30b74a0290120210353925b2f932c93c3df2cf77a6fa66d31c483d7240a0c085
Instruction Fuzzy Hash: 18A1046590A3C2DFC716C7797C806E43FF9AB22300B98C99FD44193A62D62C452BCB2D

Function 006C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006C50AA,?,?,00000000,00000000), ref: 006C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006C50AA,?,?,00000000,00000000), ref: 006C42C9
LoadResource.KERNEL32(?,00000000,?,?,006C50AA,?,?,00000000,00000000,?,?,?,?,?,?,006C4F20), ref: 007035BE
SizeofResource.KERNEL32(?,00000000,?,?,006C50AA,?,?,00000000,00000000,?,?,?,?,?,?,006C4F20), ref: 007035D3
LockResource.KERNEL32(006C50AA,?,?,006C50AA,?,?,00000000,00000000,?,?,?,?,?,?,006C4F20,?), ref: 007035E6

Strings

SCRIPT, xrefs: 006C42BF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 171b728836e7144ddee6ed17e99d0ab772dbd2d1b1b84eb22033f13eb8ea8799
Instruction ID: 7d0ae5c5b71b4dbe094147a26ee833d7e017c7d081fe3c347e493125c75c2de5
Opcode Fuzzy Hash: 171b728836e7144ddee6ed17e99d0ab772dbd2d1b1b84eb22033f13eb8ea8799
Instruction Fuzzy Hash: C1117C70200704BFD7228B65DC49FA77BBAEFC5B52F20816DF806962A0DBB5DD00D620

Function 00702BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006C2B6B

Part of subcall function 006C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00791418,?,006C2E7F,?,?,?,00000000), ref: 006C3A78

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00782224), ref: 00702C10
ShellExecuteW.SHELL32(00000000,?,?,00782224), ref: 00702C17

Strings

runas, xrefs: 00702C0B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 25e055499fa8e559ad5c1dcd494a2797a0ab7d14fa24691ca7b1811a374dfac3
Instruction ID: 1a747b6bc2aee2420ceb966a9ed74aa77a8c9fb0bea6b181708a15a4d34c0407
Opcode Fuzzy Hash: 25e055499fa8e559ad5c1dcd494a2797a0ab7d14fa24691ca7b1811a374dfac3
Instruction Fuzzy Hash: AC1129712083825ACB85FF60E855FBEBBA6DF94310F44842DF446431B3CF28890AC71A

Function 0072D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0072D501
Process32FirstW.KERNEL32(00000000,?), ref: 0072D50F
Process32NextW.KERNEL32(00000000,?), ref: 0072D52F
CloseHandle.KERNELBASE(00000000), ref: 0072D5DC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 27417277559ee55d860cbe3ec7f7b454e53a0932c84a429523b62eb50bb22b8b
Instruction ID: f5d721ef95ff40323810a46e38e1d27aa308494ce7bb95d71d32c0bd6ad58583
Opcode Fuzzy Hash: 27417277559ee55d860cbe3ec7f7b454e53a0932c84a429523b62eb50bb22b8b
Instruction Fuzzy Hash: 7A31AD710083009FD311EF50D885FAABBE8EF99344F10082DF581821A1EBB19945CBA6

Function 0072DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00705222), ref: 0072DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0072DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0072DBEE
FindClose.KERNEL32(00000000), ref: 0072DBFA

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 644299b6ecb85dd045469698cdab35c1a1067894cded75e3c44043e412c2876c
Instruction ID: 5535610780dbd0225c22d82becd95b1036ffc9713fcd587019f858714e2a8f3c
Opcode Fuzzy Hash: 644299b6ecb85dd045469698cdab35c1a1067894cded75e3c44043e412c2876c
Instruction Fuzzy Hash: 63F0A030810B245F92316B78AC0D9AA376CEE01336F108702F836D20E0EBF85D94C6AA

Function 006E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006F28E9,?,006E4CBE,006F28E9,007888B8,0000000C,006E4E15,006F28E9,00000002,00000000,?,006F28E9), ref: 006E4D09
TerminateProcess.KERNEL32(00000000,?,006E4CBE,006F28E9,007888B8,0000000C,006E4E15,006F28E9,00000002,00000000,?,006F28E9), ref: 006E4D10
ExitProcess.KERNEL32 ref: 006E4D22

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cd77f57af6b4943716ff6f9c05dec2ea297078f7055ef725c7e1f2802eeae438
Instruction ID: 584fe844afc67d098059470857b8e670307d94a968dc20a012138827ab96295c
Opcode Fuzzy Hash: cd77f57af6b4943716ff6f9c05dec2ea297078f7055ef725c7e1f2802eeae438
Instruction Fuzzy Hash: 06E0B67100178CAFCF12AF65DD09B983F6AEF81782B108058FD05CA223CB79DD42CA88

Function 006CBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#y, xrefs: 007107CE

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#y
API String ID: 3964851224-1019219899
Opcode ID: 9f690c3a2b0f4d97c5c8fb29b0895ef7e164ca8295ca3801b7696add4ea87052
Instruction ID: 578865722da015c3359ce5287ac708ce27d180e9455f9249404134dcf934bd77
Opcode Fuzzy Hash: 9f690c3a2b0f4d97c5c8fb29b0895ef7e164ca8295ca3801b7696add4ea87052
Instruction Fuzzy Hash: 2BA26C706083419FD714DF28C480B6AB7E2FF89314F14896DE89A9B392D775EC85CB92

Function 0074AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0074B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0074B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0074B1D4
_wcslen.LIBCMT ref: 0074B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0074B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0074B236
_wcslen.LIBCMT ref: 0074B332

Part of subcall function 007305A7: GetStdHandle.KERNEL32(000000F6), ref: 007305C6

_wcslen.LIBCMT ref: 0074B34B
_wcslen.LIBCMT ref: 0074B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0074B3B6
GetLastError.KERNEL32(00000000), ref: 0074B407
CloseHandle.KERNEL32(?), ref: 0074B439
CloseHandle.KERNEL32(00000000), ref: 0074B44A
CloseHandle.KERNEL32(00000000), ref: 0074B45C
CloseHandle.KERNEL32(00000000), ref: 0074B46E
CloseHandle.KERNEL32(?), ref: 0074B4E3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 11865fa8eb34dc85c4a702ad0284c33ded901a8afeb9ea043b310d3e3f11d8e4
Instruction ID: a4dd78860c5d1b8198947dafcdfe3cbb445c8d4090a9a01617a885751d1062c5
Opcode Fuzzy Hash: 11865fa8eb34dc85c4a702ad0284c33ded901a8afeb9ea043b310d3e3f11d8e4
Instruction Fuzzy Hash: AAF1AA316083409FC714EF24C895B6EBBE6EF85310F14895DF8999B2A2CB75EC04CB96

Function 006CD730 Relevance: 21.6, APIs: 14, Instructions: 625sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006CD807
timeGetTime.WINMM ref: 006CDA07
Sleep.KERNELBASE(0000000A), ref: 006CDBB1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 19703ec8ba3ff27c92b4df4815cc12e8ed31c670274864384bc21cdb1f02c3d7
Instruction ID: b67989a2b93eb88ff4e151ca3eff16eb55d05ba40fb5471716867719d4330745
Opcode Fuzzy Hash: 19703ec8ba3ff27c92b4df4815cc12e8ed31c670274864384bc21cdb1f02c3d7
Instruction Fuzzy Hash: 8642E070608341EFD728DF28C844FBAB7A2FF45300F14856EE55587292D778E896CB96

Function 006C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006C2D07
RegisterClassExW.USER32(00000030), ref: 006C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006C2D42
InitCommonControlsEx.COMCTL32(?), ref: 006C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006C2D6F
LoadIconW.USER32(000000A9), ref: 006C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006C2D94

Strings

TaskbarCreated, xrefs: 006C2D37
+, xrefs: 006C2CF0
AutoIt v3 GUI, xrefs: 006C2D23
0, xrefs: 006C2CE9

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 469bbc67c4cf4025d3d9c85c9ec9c0c735c6765ee57e4ee1ee7b95ba3033e025
Instruction ID: 29da7571db28482ff09ebd3244338412e123c3461650273465216683ea508176
Opcode Fuzzy Hash: 469bbc67c4cf4025d3d9c85c9ec9c0c735c6765ee57e4ee1ee7b95ba3033e025
Instruction Fuzzy Hash: 4421E0B1D01349AFDB01DFA4EC89BDDBBB4FB08712F00811AF911A62A0D7B91555CFA8

Function 0070065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0070039A: CreateFileW.KERNELBASE(00000000,00000000,?,00700704,?,?,00000000,?,00700704,00000000,0000000C), ref: 007003B7

GetLastError.KERNEL32 ref: 0070076F
__dosmaperr.LIBCMT ref: 00700776
GetFileType.KERNELBASE(00000000), ref: 00700782
GetLastError.KERNEL32 ref: 0070078C
__dosmaperr.LIBCMT ref: 00700795
CloseHandle.KERNEL32(00000000), ref: 007007B5
CloseHandle.KERNEL32(?), ref: 007008FF
GetLastError.KERNEL32 ref: 00700931
__dosmaperr.LIBCMT ref: 00700938

Strings

H, xrefs: 007008BD

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: edc85344ac02081f830d7f981b5606afd11d9ab71d2ba957112001329877384f
Instruction ID: 5b71e1f8f9fbaf80745788e29bc2bdb3de5821fb39650ba04642f249664acbf5
Opcode Fuzzy Hash: edc85344ac02081f830d7f981b5606afd11d9ab71d2ba957112001329877384f
Instruction Fuzzy Hash: 47A13332A10248CFDF19EF68D855BAE3BE1AB06320F14425EF8159B2D1D7399D12CBD6

Function 006C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00791418,?,006C2E7F,?,?,?,00000000), ref: 006C3A78

Part of subcall function 006C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0070318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007031CE
RegCloseKey.ADVAPI32(?), ref: 00703210
_wcslen.LIBCMT ref: 00703277
_wcslen.LIBCMT ref: 00703286

Strings

\Include\, xrefs: 006C3527
\, xrefs: 0070328C
Software\AutoIt v3\AutoIt, xrefs: 006C3560
Include, xrefs: 00703184, 007031C5

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d97f9db80703dca6de2ba69d5b2daa2761c946e26c23661d788225b5f5254298
Instruction ID: 16c9e305b8169d00e8696eec1086ee58a3cd444a825c307302964cf802d65788
Opcode Fuzzy Hash: d97f9db80703dca6de2ba69d5b2daa2761c946e26c23661d788225b5f5254298
Instruction Fuzzy Hash: 8271A471405300AEC344EF65DC86DABBBE9FF85340F40852EF545C32A1DB789A4ACBA9

Function 006C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006C2B9D
LoadIconW.USER32(00000063), ref: 006C2BB3
LoadIconW.USER32(000000A4), ref: 006C2BC5
LoadIconW.USER32(000000A2), ref: 006C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006C2BEF
RegisterClassExW.USER32(?), ref: 006C2C40

Part of subcall function 006C2CD4: GetSysColorBrush.USER32(0000000F), ref: 006C2D07
Part of subcall function 006C2CD4: RegisterClassExW.USER32(00000030), ref: 006C2D31
Part of subcall function 006C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006C2D42
Part of subcall function 006C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006C2D5F
Part of subcall function 006C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006C2D6F
Part of subcall function 006C2CD4: LoadIconW.USER32(000000A9), ref: 006C2D85
Part of subcall function 006C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006C2D94

Strings

#, xrefs: 006C2C16
AutoIt v3, xrefs: 006C2C2F
0, xrefs: 006C2C0F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ec18a55fa2b380e3f361ae86dcf5afd61e44b0872f1993b5fd055afaa0409513
Instruction ID: de4b7d8932e5ba332cd564b0a9ba4ad586e5ecb6ec2ff9dc44d0e025486bbe9b
Opcode Fuzzy Hash: ec18a55fa2b380e3f361ae86dcf5afd61e44b0872f1993b5fd055afaa0409513
Instruction Fuzzy Hash: C0214970E00319AFDB119FA5EC55BAD7FB4FB08B50F44C12BE504A66A0D7B90561CF98

Function 006C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006C316A,?,?), ref: 006C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006C316A,?,?), ref: 006C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006C316A,?,?), ref: 006C3232
CreatePopupMenu.USER32 ref: 006C3246
PostQuitMessage.USER32(00000000), ref: 006C3267

Strings

TaskbarCreated, xrefs: 006C322D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 29d17889f12040c73fbff024eb6d71c7a579d7d928219de5ff2fc754bd0a4bec
Instruction ID: 8889b0c0fe4371a5d4ca4a296c8b7fe90b46b1c6489df5e474d449e1005141b0
Opcode Fuzzy Hash: 29d17889f12040c73fbff024eb6d71c7a579d7d928219de5ff2fc754bd0a4bec
Instruction Fuzzy Hash: 57411831240325AEDF151B389D0DFF93A6AE705340F48C12EF50185BA2C76DDF129BA9

Function 006C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006C1459
CoUninitialize.COMBASE ref: 006C14F8
UnregisterHotKey.USER32(?), ref: 006C16DD
DestroyWindow.USER32(?), ref: 007024B9
FreeLibrary.KERNEL32(?), ref: 0070251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0070254B

Strings

close all, xrefs: 006C1454

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 193b7100ebfdc026f06abb8c7f91060191147fade45664389375fb1489074c19
Instruction ID: 6533ea6255ce288719fbe82a5fc1bdd0f6ff198430af8462ef0a1056ec099108
Opcode Fuzzy Hash: 193b7100ebfdc026f06abb8c7f91060191147fade45664389375fb1489074c19
Instruction Fuzzy Hash: 55D11731601212CFDB19EF15C899F69F7A6FF06700F1442ADE44A6B292DB35AD22CF58

Function 006C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006C1CAD,?), ref: 006C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006C1CAD,?), ref: 006C2CCF

Strings

AutoIt v3, xrefs: 006C2C89, 006C2C8E, 006C2C8F
edit, xrefs: 006C2CAC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cf50ba6c2a59cffb189bd4f080d94d862e3b4c41f73b6d053bb7ee7bee210771
Instruction ID: c480e97cec7bfc8cacb901260d92740d7f61c41b06731a4d3f3a3ffe4f118150
Opcode Fuzzy Hash: cf50ba6c2a59cffb189bd4f080d94d862e3b4c41f73b6d053bb7ee7bee210771
Instruction Fuzzy Hash: C8F0DA755403917EEB311727AC08FB72EBDD7CAF51B40805AF904A29A0C6B91866DAB8

Function 006C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006C3B0F,SwapMouseButtons,00000004,?), ref: 006C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006C3B0F,SwapMouseButtons,00000004,?), ref: 006C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006C3B0F,SwapMouseButtons,00000004,?), ref: 006C3B83

Strings

Control Panel\Mouse, xrefs: 006C3B3E

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3204bf287a92c18c3b38fbc1ddc7f08d72237fb6d4ea7b07406a05110742f360
Instruction ID: 3ff73724fa8896ef4618922b28102b87499305f7d3a0a78b5b4d18ee04fec493
Opcode Fuzzy Hash: 3204bf287a92c18c3b38fbc1ddc7f08d72237fb6d4ea7b07406a05110742f360
Instruction Fuzzy Hash: 11112AB5510218FFDB218FA5DC44EFFB7B9EF24755B10845AB805D7210E2719E409BA4

Function 006C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007033A2

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006C3A04

Strings

Line: , xrefs: 007033EB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8c88b86dc057605c3a35b65f353bc51a5359ae1f184bcca38cb9e3720f5a75f3
Instruction ID: b552a86b9402421fdecf315a802873782b6f1a4c237ccdc9a450dec7a73c6820
Opcode Fuzzy Hash: 8c88b86dc057605c3a35b65f353bc51a5359ae1f184bcca38cb9e3720f5a75f3
Instruction Fuzzy Hash: BF31F871408351AED761EB20DC45FFBB7E9EB40310F008A1EF59983291EB749655C7CA

Function 006C2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00702C8C

Part of subcall function 006C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006C3A97,?,?,006C2E7F,?,?,?,00000000), ref: 006C3AC2

Part of subcall function 006C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006C2DC4

Strings

`ex, xrefs: 00702C85
X, xrefs: 00702C5A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ex
API String ID: 779396738-4019381938
Opcode ID: d949a1e789da6cf9291ce47bf816a55c94322b70fe81dc285711ac8861236cfd
Instruction ID: 93e3b256e518cf8d3d6564a860872c5f50a3ea8bed98671d93921bab70a31854
Opcode Fuzzy Hash: d949a1e789da6cf9291ce47bf816a55c94322b70fe81dc285711ac8861236cfd
Instruction Fuzzy Hash: FE21A871A002989FDB41EF94C859BEE7BFDEF48314F00805DE505B7281DBB85A498F65

Function 006DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 006E0668

Part of subcall function 006E32A4: RaiseException.KERNEL32(?,?,?,006E068A,?,00791444,?,?,?,?,?,?,006E068A,006C1129,00788738,006C1129), ref: 006E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 006E0685

Strings

Unknown exception, xrefs: 006E0692

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 474279b57d00bb5a6430fbd807997ddd0ff2e30cf0aec37f445dcfacb4b23e4a
Instruction ID: b8c8048210f732737b56d381b25cc17004f75051d24ef441ef37459df4aa261a
Opcode Fuzzy Hash: 474279b57d00bb5a6430fbd807997ddd0ff2e30cf0aec37f445dcfacb4b23e4a
Instruction Fuzzy Hash: DBF02234D0138C77CB40B7A6D84AD9E777F5E00300BA0403AB924D6692EFB1DBA6CA84

Function 006C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006C1BF4
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006C1BFC
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006C1C07
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006C1C12
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006C1C1A
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006C1C22

Part of subcall function 006C1B4A: RegisterWindowMessageW.USER32(00000004,?,006C12C4), ref: 006C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006C136A
OleInitialize.OLE32 ref: 006C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 007024AB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 74835c98670835fb6a9e9be42300f1ec6556c6dd21d818f18cc59ac6db22a2a9
Instruction ID: 25e777e4e00d2a3335ae6ab8373d8b149cac91b31e153493d9c01b11e2de9ff0
Opcode Fuzzy Hash: 74835c98670835fb6a9e9be42300f1ec6556c6dd21d818f18cc59ac6db22a2a9
Instruction Fuzzy Hash: 8371CAB48113428FC785DF69A945AA43AE1FB893943C6C22F941ACB361EB384472CF4C

Function 0072C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006C3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0072C259
KillTimer.USER32(?,00000001,?,?), ref: 0072C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0072C270

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 906c7e4eb4641239da8e956e1948ba1e24dbc2efb39406abb64a0192e476ddd2
Instruction ID: d0c2a20a287cebcbf08fea3a7603ebea4b812aa2b23e2ba1a73cfeb64118fa45
Opcode Fuzzy Hash: 906c7e4eb4641239da8e956e1948ba1e24dbc2efb39406abb64a0192e476ddd2
Instruction Fuzzy Hash: C831C370904364AFEB63CF649855BEBBBECAF16308F00449ED2DA93241C7785A85CB55

Function 006F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006F85CC,?,00788CC8,0000000C), ref: 006F8704
GetLastError.KERNEL32(?,006F85CC,?,00788CC8,0000000C), ref: 006F870E
__dosmaperr.LIBCMT ref: 006F8739

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 1a0f465cdaae48069d52170b1747d26d3e1cf2da7a1bf165565ba7f5c7030f2f
Instruction ID: 0908fa942d8c65a967ba274221e1e30e2b8a417c48824d20032f032fe3d36519
Opcode Fuzzy Hash: 1a0f465cdaae48069d52170b1747d26d3e1cf2da7a1bf165565ba7f5c7030f2f
Instruction Fuzzy Hash: 03016B33605A6C1EC660633868497BE278B4B82779F39019DFB05CB2D3EEA48C818198

Function 006CDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 006CDB7B
DispatchMessageW.USER32(?), ref: 006CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006CDB9F
Sleep.KERNELBASE(0000000A), ref: 006CDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00711CC9

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 684bbad10ed3a08912e1d47132f9f830b32d50cf63900d4162c319225dfd3c69
Instruction ID: af173e0686d3153f696d7bf958a3cdac44a5aa9511bd78d548308086c760d9c5
Opcode Fuzzy Hash: 684bbad10ed3a08912e1d47132f9f830b32d50cf63900d4162c319225dfd3c69
Instruction Fuzzy Hash: EDF089305443419BE730CB60DC45FEA73ADEF44311F508929E619C70C0DB789485DB29

Function 006D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006D17F6

Strings

CALL, xrefs: 006D17C6

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5d1f9ebcfdddc83e6e7881b6e583e03bb4f892ed15dc2a87874a31decbda5123
Instruction ID: 5560f4c0d0a2733ac20689f2b58f80a9a8b472cbf1f111f1b48bbadd4b3741cc
Opcode Fuzzy Hash: 5d1f9ebcfdddc83e6e7881b6e583e03bb4f892ed15dc2a87874a31decbda5123
Instruction Fuzzy Hash: C522AEB0A08341EFC714DF18C480A6ABBF2BF86314F14855EF4968B3A1D7B5E955CB52

Function 006C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 006C3908

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b99ddd5aff8588ad5a7fc409d89dc3796fadacda6ed90d8296fa471166e7b4fc
Instruction ID: d310366dda577868b9d6f715792ef69013d312caaa7bbb25ad335815bce409de
Opcode Fuzzy Hash: b99ddd5aff8588ad5a7fc409d89dc3796fadacda6ed90d8296fa471166e7b4fc
Instruction Fuzzy Hash: 8F319C706057118FD361DF24D885BA7BBF8FB49308F00492EF59983380E7B5AA44CB96

Function 006DF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006DF661

Part of subcall function 006CD730: GetInputState.USER32 ref: 006CD807

Sleep.KERNEL32(00000000), ref: 0071F2DE

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: b5a630c3ffdbee14176c62154869905c50e3d96023a220d8c94dd2e56d5ac5a5
Instruction ID: 4c46f9689b9ad9cb64e427c841bc552c7a0ec7c79c54360ba9fb3841a115def4
Opcode Fuzzy Hash: b5a630c3ffdbee14176c62154869905c50e3d96023a220d8c94dd2e56d5ac5a5
Instruction Fuzzy Hash: B5F08C712407059FD350EF69D44AFAAB7E9FF59761F00402EE85AC73A0DBB0A800CB98

Function 006C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006C4EDD,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E9C
Part of subcall function 006C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006C4EAE
Part of subcall function 006C4E90: FreeLibrary.KERNEL32(00000000,?,?,006C4EDD,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4EFD

Part of subcall function 006C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00703CDE,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E62
Part of subcall function 006C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006C4E74
Part of subcall function 006C4E59: FreeLibrary.KERNEL32(00000000,?,?,00703CDE,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E87

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: fa6b1c70ad0c4e6a7f6668a1ac83d15c6fb48bbfcad8f3f330657200089b923b
Instruction ID: 8745e8618b002ce770d67a9ff1eba3c013342c29135dfae9f25746951dddf3cd
Opcode Fuzzy Hash: fa6b1c70ad0c4e6a7f6668a1ac83d15c6fb48bbfcad8f3f330657200089b923b
Instruction Fuzzy Hash: CB112332600305AADB10EB60DC22FFD77A6EF94710F10842EF452A71C2EEB5AA459758

Function 006F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 006F8440

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 215bb2b72df2e978f5f9f42806448e9f4f07fa4adba1cdd16052365d1fcd9fbe
Instruction ID: 092f4c6b6a520d4c9a1fef83c4c321fb7f39c274bd48607371817db41b871dff
Opcode Fuzzy Hash: 215bb2b72df2e978f5f9f42806448e9f4f07fa4adba1cdd16052365d1fcd9fbe
Instruction Fuzzy Hash: 1411487190410AAFCB05DF58E9419EE7BF5EF48310F104099F908AB312DB30EA11CBA4

Function 006F5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006F4C7D: RtlAllocateHeap.NTDLL(00000008,006C1129,00000000,?,006F2E29,00000001,00000364,?,?,?,006EF2DE,006F3863,00791444,?,006DFDF5,?), ref: 006F4CBE

_free.LIBCMT ref: 006F506C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 8936b82ab588d02ed024236a368a660174e7de07e7b2aeaad631b86874e52404
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: AB014E722047095BE3318F55D8419AAFBEEFB85370F25051DE395832C0EA706C05C774

Function 006EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1e9e79b8bf44371711e811898ad7473e18188b14380faffd662fb8b1ccbc5bab
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 6AF0F932512B549BC6313B679C05BA6339B9F52375F10071DF620932D2DF75D4028AAD

Function 006F4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,006C1129,00000000,?,006F2E29,00000001,00000364,?,?,?,006EF2DE,006F3863,00791444,?,006DFDF5,?), ref: 006F4CBE

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b8a18ebd996ec8b709d3ba9512f7f469b18a3063bffa7351d3b59ee7a691cfad
Instruction ID: 73f577ba64c9bd37692bf4839529630a6d83457fb5bf25a7b49558c64e8c4c1a
Opcode Fuzzy Hash: b8a18ebd996ec8b709d3ba9512f7f469b18a3063bffa7351d3b59ee7a691cfad
Instruction Fuzzy Hash: 71F0243120336C67DB211F72AC05BBB379BAF407A0B049115BB15A7B81CE30D80186A4

Function 006F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 387f6b5265c29455d96b3d316f969a99fdb82b7a70e494ee0075c57c972b07ac
Instruction ID: 4574db731cd619f261472d1c8d2f9b0ff74f9aa9b64d95565b5afac0cbb3fbed
Opcode Fuzzy Hash: 387f6b5265c29455d96b3d316f969a99fdb82b7a70e494ee0075c57c972b07ac
Instruction Fuzzy Hash: 34E0E53110137CAAD661267B9D01BFA375BAF427F0F050025BE2592780DF19DE0282E4

Function 006C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4F6D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b38bffd205655b95b0add2ec4faa89695341fde4d115cff7ae8ad28f065b0372
Instruction ID: 3f54a6147dff7cc0763c2b1d21405e2548bc5bf7af15f96196c4fca710ff16cf
Opcode Fuzzy Hash: b38bffd205655b95b0add2ec4faa89695341fde4d115cff7ae8ad28f065b0372
Instruction Fuzzy Hash: 9FF03971105752CFDB34DF64D4A0EA2BBE6EF54329320C97EE1EA82621CB329844DF10

Function 00752A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00752A66

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 7cee3d808a18adcb2bd1f4d9370c1f92e078583f00e880aa647a87bcdaaaa3b2
Instruction ID: 011bf5489d00672af02cacfee6d7e95130ecd03febf73bb572b4a44b7c429298
Opcode Fuzzy Hash: 7cee3d808a18adcb2bd1f4d9370c1f92e078583f00e880aa647a87bcdaaaa3b2
Instruction Fuzzy Hash: B2E0DF32340226AAC750EA30EC848FA734CEB11396B108536EC1AC2101DB7C9A9A86A0

Function 006C30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 006C314E

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 92840d57c486548b34938e13b74815862b76aa36600e5937a81d063174a56697
Instruction ID: 90f07a9af8f3784bb1073e16bbcab717e798078be6b09aee600a4c904e17c902
Opcode Fuzzy Hash: 92840d57c486548b34938e13b74815862b76aa36600e5937a81d063174a56697
Instruction Fuzzy Hash: 95F0A7709003559FE7929B24DC46BD57BBCA70170CF0041EAA14896281D7744B89CF45

Function 006C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006C2DC4

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 90cc822e030f4081646088b1f1ce17ed63cbe6b28dfb098adba5eb8e5eebc747
Instruction ID: 3d8a9e5588bebf5909c51a382bbc871d74ee23e0d78ff1b2a7cba14a41406b74
Opcode Fuzzy Hash: 90cc822e030f4081646088b1f1ce17ed63cbe6b28dfb098adba5eb8e5eebc747
Instruction Fuzzy Hash: 18E0CD726002245BC711D258DC05FEA77DDDFC8790F044175FD09E7248D964AD808554

Function 006C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006C3908

Part of subcall function 006CD730: GetInputState.USER32 ref: 006CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006C2B6B

Part of subcall function 006C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006C314E

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 5f0d24b6b7c8e50b4efa33e8800960664803ce86d044d7571c984473f92cddda
Instruction ID: cea36a99b3c190443c89e5927019a3f6e40e924a7c04ddfa5b7617c2895b690f
Opcode Fuzzy Hash: 5f0d24b6b7c8e50b4efa33e8800960664803ce86d044d7571c984473f92cddda
Instruction Fuzzy Hash: 77E0262230035506CB48BB30A816FBDB35BCBD5351F40843EF04283272CE288957426E

Function 0070039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00700704,?,?,00000000,?,00700704,00000000,0000000C), ref: 007003B7

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d5edfbb7d07d85de61100e86eb23d535316a86893b4e00d6916055e0c5355c23
Instruction ID: 78354ec68e066b45a57d815b2e1dc6242e43dfab428df7409a4c9ae96fbc009a
Opcode Fuzzy Hash: d5edfbb7d07d85de61100e86eb23d535316a86893b4e00d6916055e0c5355c23
Instruction Fuzzy Hash: FAD06C3204020DBFDF028F84DD06EDA3BAAFB48714F018000BE1856020C776E821AB94

Function 006C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006C1CBC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0c88d100ff10ab9b097272ca9b81dc899b27240be47e6da5fc863297aef77d79
Instruction ID: 40662c71f369ff333a971df343cca03031f3b3e19626c78d1069047cad3281f8
Opcode Fuzzy Hash: 0c88d100ff10ab9b097272ca9b81dc899b27240be47e6da5fc863297aef77d79
Instruction Fuzzy Hash: D7C09B35280305AFF21557D0BC5AF507764A348B01F54C002F60D555E3D3F51832D658

Non-executed Functions

Function 00759576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0075961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0075965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0075969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007596C9
SendMessageW.USER32 ref: 007596F2
GetKeyState.USER32(00000011), ref: 0075978B
GetKeyState.USER32(00000009), ref: 00759798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007597AE
GetKeyState.USER32(00000010), ref: 007597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007597E9
SendMessageW.USER32 ref: 00759810
SendMessageW.USER32(?,00001030,?,00757E95), ref: 00759918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0075992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00759941
SetCapture.USER32(?), ref: 0075994A
ClientToScreen.USER32(?,?), ref: 007599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007599D6
ReleaseCapture.USER32 ref: 007599E1
GetCursorPos.USER32(?), ref: 00759A19
ScreenToClient.USER32(?,?), ref: 00759A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00759A80
SendMessageW.USER32 ref: 00759AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00759AEB
SendMessageW.USER32 ref: 00759B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00759B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00759B4A
GetCursorPos.USER32(?), ref: 00759B68
ScreenToClient.USER32(?,?), ref: 00759B75
GetParent.USER32(?), ref: 00759B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00759BFA
SendMessageW.USER32 ref: 00759C2B
ClientToScreen.USER32(?,?), ref: 00759C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00759CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00759CDE
SendMessageW.USER32 ref: 00759D01
ClientToScreen.USER32(?,?), ref: 00759D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00759D82

Part of subcall function 006D9944: GetWindowLongW.USER32(?,000000EB), ref: 006D9952

GetWindowLongW.USER32(?,000000F0), ref: 00759E05

Strings

p#y, xrefs: 00759990
F, xrefs: 00759D07
@GUI_DRAGID, xrefs: 0075997D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#y
API String ID: 3429851547-3268430869
Opcode ID: e062dd2d18a10a765269d9b4b5e8b4597134d9f322db98bb197937be9b787a3a
Instruction ID: 0cdabc7adbdef9889947b16166c61576b4fe46bffa6c43fe895b1f48d0bada51
Opcode Fuzzy Hash: e062dd2d18a10a765269d9b4b5e8b4597134d9f322db98bb197937be9b787a3a
Instruction Fuzzy Hash: 5642AD30204341EFDB21CF24CD44BEABBE5EF48321F10495DFA59872A0D7B9A869DB95

Function 00754873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00754908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00754927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0075494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0075495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0075497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00754A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00754A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00754A7E
IsMenu.USER32(?), ref: 00754A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00754AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00754B20
GetWindowLongW.USER32(?,000000F0), ref: 00754B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00754BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00754C82
wsprintfW.USER32 ref: 00754CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00754CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00754CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00754D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00754D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00754D5A

Strings

%d/%02d/%02d, xrefs: 00754CA8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 880f95163e3bb8db4a1499f95735c690a4973ea6f2778a405c74c699d252f2a6
Instruction ID: 2bc904241beb6f5a43562a6946f976dce0de325194c17f307c49896436b39a09
Opcode Fuzzy Hash: 880f95163e3bb8db4a1499f95735c690a4973ea6f2778a405c74c699d252f2a6
Instruction Fuzzy Hash: 3B12FF71A00344ABEB258F28CC49FEE7BF8EF44315F144159F916DA2E1DBB89A85CB50

Function 006DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0071F474
IsIconic.USER32(00000000), ref: 0071F47D
ShowWindow.USER32(00000000,00000009), ref: 0071F48A
SetForegroundWindow.USER32(00000000), ref: 0071F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0071F4AA
GetCurrentThreadId.KERNEL32 ref: 0071F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0071F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0071F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0071F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0071F4DE
SetForegroundWindow.USER32(00000000), ref: 0071F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071F4F6
keybd_event.USER32(00000012,00000000), ref: 0071F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071F50B
keybd_event.USER32(00000012,00000000), ref: 0071F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071F519
keybd_event.USER32(00000012,00000000), ref: 0071F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071F528
keybd_event.USER32(00000012,00000000), ref: 0071F52D
SetForegroundWindow.USER32(00000000), ref: 0071F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0071F557

Strings

Shell_TrayWnd, xrefs: 0071F46F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 84a8af94b3010f9b747aade00536b8d09778cc6c1d050bad7d2a2520125c5097
Instruction ID: a5f45597a8005e8ef1c9b5c3b4f6d756bc6911adb379176969b3afb7bf93cfa8
Opcode Fuzzy Hash: 84a8af94b3010f9b747aade00536b8d09778cc6c1d050bad7d2a2520125c5097
Instruction Fuzzy Hash: F631D471A40318BFEB216BB54C4AFFF3E6DEB44B11F204065FA00E61D1D6F45D50AA64

Function 00721201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0072170D
Part of subcall function 007216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0072173A
Part of subcall function 007216C3: GetLastError.KERNEL32 ref: 0072174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00721286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007212A8
CloseHandle.KERNEL32(?), ref: 007212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007212D1
GetProcessWindowStation.USER32 ref: 007212EA
SetProcessWindowStation.USER32(00000000), ref: 007212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00721310

Part of subcall function 007210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007211FC), ref: 007210D4
Part of subcall function 007210BF: CloseHandle.KERNEL32(?,?,007211FC), ref: 007210E9

Strings

, xrefs: 0072125A
default, xrefs: 0072130B
winsta0, xrefs: 007212CC
Zx, xrefs: 00721392

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zx
API String ID: 22674027-2903830162
Opcode ID: df211dc3218b0e8249e95f237ed1ba4e01ca9d22a2d920dffc50af4f85346a1b
Instruction ID: ff2d49bc95d482248838106e54899499e65bf7afec8165b32712a4da8a844e8b
Opcode Fuzzy Hash: df211dc3218b0e8249e95f237ed1ba4e01ca9d22a2d920dffc50af4f85346a1b
Instruction Fuzzy Hash: 0B81CF71900398AFDF21AFA4EC49FEE7BB9FF04700F148129F915A61A0C7798A45CB65

Function 00720B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00721114
Part of subcall function 007210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721120
Part of subcall function 007210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 0072112F
Part of subcall function 007210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721136
Part of subcall function 007210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0072114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00720BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00720C00
GetLengthSid.ADVAPI32(?), ref: 00720C17
GetAce.ADVAPI32(?,00000000,?), ref: 00720C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00720C6D
GetLengthSid.ADVAPI32(?), ref: 00720C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00720C8C
HeapAlloc.KERNEL32(00000000), ref: 00720C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00720CB4
CopySid.ADVAPI32(00000000), ref: 00720CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00720CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00720D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00720D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720D45
HeapFree.KERNEL32(00000000), ref: 00720D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720D55
HeapFree.KERNEL32(00000000), ref: 00720D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720D65
HeapFree.KERNEL32(00000000), ref: 00720D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00720D78
HeapFree.KERNEL32(00000000), ref: 00720D7F

Part of subcall function 00721193: GetProcessHeap.KERNEL32(00000008,00720BB1,?,00000000,?,00720BB1,?), ref: 007211A1
Part of subcall function 00721193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00720BB1,?), ref: 007211A8
Part of subcall function 00721193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00720BB1,?), ref: 007211B7

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7beea98e632300e1957a0297eaa6214a573365fbe04eea9eeb7f58ef1b973e24
Instruction ID: fa235d16f581f796e5310a68f4a42e0e16dc42706bfcf5d32791646244c242c1
Opcode Fuzzy Hash: 7beea98e632300e1957a0297eaa6214a573365fbe04eea9eeb7f58ef1b973e24
Instruction Fuzzy Hash: BA718CB1A0131AAFDF119FA4EC45BEEBBB8FF04311F048115E914A6192D7B9A905CFB0

Function 0073EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0075CC08), ref: 0073EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0073EB37
GetClipboardData.USER32(0000000D), ref: 0073EB43
CloseClipboard.USER32 ref: 0073EB4F
GlobalLock.KERNEL32(00000000), ref: 0073EB87
CloseClipboard.USER32 ref: 0073EB91
GlobalUnlock.KERNEL32(00000000), ref: 0073EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0073EBC9
GetClipboardData.USER32(00000001), ref: 0073EBD1
GlobalLock.KERNEL32(00000000), ref: 0073EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0073EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0073EC38
GetClipboardData.USER32(0000000F), ref: 0073EC44
GlobalLock.KERNEL32(00000000), ref: 0073EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0073EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0073EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0073ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0073ECF3
CountClipboardFormats.USER32 ref: 0073ED14
CloseClipboard.USER32 ref: 0073ED59

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 52a8439bdf3221818bb40964f65aadcae68cb23dd6a7e873efdba069248d70cd
Instruction ID: 56b8fe87087c5b9cdb989dc7e25e691a9d6369c7744a3ae9293e5d24057f700f
Opcode Fuzzy Hash: 52a8439bdf3221818bb40964f65aadcae68cb23dd6a7e873efdba069248d70cd
Instruction Fuzzy Hash: B361CE742043019FE302EF24D889FBAB7A5EF84704F14855DF456972E2CB79D905CBA6

Function 0073698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007369BE
FindClose.KERNEL32(00000000), ref: 00736A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00736A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00736A75

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00736AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00736ADF

Strings

%02d, xrefs: 00736C00, 00736C0A, 00736C5A, 00736CAA, 00736CFA, 00736D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00736B32
%4d, xrefs: 00736BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00736B6A
%03d, xrefs: 00736DA2

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f86af7a63505b5c9389554e8b184175aaf50ae616f64e51796468362b3870feb
Instruction ID: c62fe6d510edf8f3b3e50a3dde89f46dc89fa1e6fcabc90bf98cfe7da91d6b4c
Opcode Fuzzy Hash: f86af7a63505b5c9389554e8b184175aaf50ae616f64e51796468362b3870feb
Instruction Fuzzy Hash: 9BD15FB2508300AEC354EBA4C885EBBB7EDEF88704F04491EF595D7191EB78DA04CB66

Function 00739642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00739663
GetFileAttributesW.KERNEL32(?), ref: 007396A1
SetFileAttributesW.KERNEL32(?,?), ref: 007396BB
FindNextFileW.KERNEL32(00000000,?), ref: 007396D3
FindClose.KERNEL32(00000000), ref: 007396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0073974A
SetCurrentDirectoryW.KERNEL32(00786B7C), ref: 00739768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00739772
FindClose.KERNEL32(00000000), ref: 0073977F
FindClose.KERNEL32(00000000), ref: 0073978F

Strings

*.*, xrefs: 007396F5

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 5efdd87cf3db3c21d5dcc095180522b88ee2635d780c2d6ef7125824103e91ce
Instruction ID: 90a0d933bc670c9722c09a2af5410dba08f26aa30eba2dec6f8618cd9326cf50
Opcode Fuzzy Hash: 5efdd87cf3db3c21d5dcc095180522b88ee2635d780c2d6ef7125824103e91ce
Instruction Fuzzy Hash: 1031C37254131AAFEF11AFB4DC49ADE77ACAF09321F108155FA05E20E1DBB8DE448A14

Function 0073979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00739819
FindClose.KERNEL32(00000000), ref: 00739824
FindFirstFileW.KERNEL32(*.*,?), ref: 00739840
SetCurrentDirectoryW.KERNEL32(?), ref: 00739890
SetCurrentDirectoryW.KERNEL32(00786B7C), ref: 007398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007398B8
FindClose.KERNEL32(00000000), ref: 007398C5
FindClose.KERNEL32(00000000), ref: 007398D5

Part of subcall function 0072DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0072DB00

Strings

*.*, xrefs: 0073983B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b1e61f4658880864ffb11053bdb50ff5f257a7dcdc57c504aff71fc51b67e480
Instruction ID: 7e34c3f82db4e00fa7ef5b25d99d1c0e16d10312ffea5b900f0a443947c1a536
Opcode Fuzzy Hash: b1e61f4658880864ffb11053bdb50ff5f257a7dcdc57c504aff71fc51b67e480
Instruction Fuzzy Hash: D831F47254031A7EEF10EFB4EC48ADE77ACAF46325F108155EA50A20A1DBB8DE45CF24

Function 0074BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0074C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074C9F1
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA68
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0074BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0074BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0074C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0074C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0074C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0074C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0074C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0074C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0074C382
RegCloseKey.ADVAPI32(00000000), ref: 0074C38F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 3eb818d3d4a30991d77e9f1f5024f3651ea7cbd206f717b688ceb95a538f2498
Instruction ID: 5b6ec5f863c9465a36ffb44c6d33b4e1d9247afd58282a31ab4c74271da24aca
Opcode Fuzzy Hash: 3eb818d3d4a30991d77e9f1f5024f3651ea7cbd206f717b688ceb95a538f2498
Instruction Fuzzy Hash: FC026E71604200AFD755DF24C895E2ABBE5EF89318F18C49DF84ACB2A2DB35EC45CB52

Function 00738195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00738257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00738267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00738273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00738310
SetCurrentDirectoryW.KERNEL32(?), ref: 00738324
SetCurrentDirectoryW.KERNEL32(?), ref: 00738356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0073838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00738395

Strings

*.*, xrefs: 0073839B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b997d594d0400aebbe42e922770afe330c87d9a78b2c4fdeb61ff592327665f4
Instruction ID: 8ba84226baf583982e440d771adf48aaf3007b89174be87f1304ba5a53efcb65
Opcode Fuzzy Hash: b997d594d0400aebbe42e922770afe330c87d9a78b2c4fdeb61ff592327665f4
Instruction Fuzzy Hash: CE6179B25043459FD750EF60C844EAEB3E9FF89310F04891EF98987252DB39E905CB96

Function 0072D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006C3A97,?,?,006C2E7F,?,?,?,00000000), ref: 006C3AC2

Part of subcall function 0072E199: GetFileAttributesW.KERNEL32(?,0072CF95), ref: 0072E19A

FindFirstFileW.KERNEL32(?,?), ref: 0072D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0072D1DD
MoveFileW.KERNEL32(?,?), ref: 0072D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0072D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0072D237

Part of subcall function 0072D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0072D21C,?,?), ref: 0072D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0072D253
FindClose.KERNEL32(00000000), ref: 0072D264

Strings

\*.*, xrefs: 0072D0CD, 0072D0D6, 0072D0EB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3180d975aaed58476ff8ed5bbe808d9621111346865fe004aca3f572e13ba4cf
Instruction ID: a0e35236e4367f0fb450b99a3784a8d378850f548efb7c48554f192bb0f8c54f
Opcode Fuzzy Hash: 3180d975aaed58476ff8ed5bbe808d9621111346865fe004aca3f572e13ba4cf
Instruction Fuzzy Hash: C6613B3180126D9ACF55EBE0E956EFDB7B6EF15300F208169E40277191EB389F09CB65

Function 0073ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0073ED91
EmptyClipboard.USER32 ref: 0073ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0073EDAC
CloseClipboard.USER32 ref: 0073EEA3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6a1da63b0e6da08b349c7c47d6dd52cfc764060682457b8e56f55812a75bc995
Instruction ID: 5367d3fe973bfc481f0703083b37853d95a409db22359b068492825573d7f122
Opcode Fuzzy Hash: 6a1da63b0e6da08b349c7c47d6dd52cfc764060682457b8e56f55812a75bc995
Instruction Fuzzy Hash: 3D41AD35204611AFE321DF15D888F6ABBE1FF44329F14C09DE4298B6A2C779ED42CB94

Function 0072E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0072170D
Part of subcall function 007216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0072173A
Part of subcall function 007216C3: GetLastError.KERNEL32 ref: 0072174A

ExitWindowsEx.USER32(?,00000000), ref: 0072E932

Strings

, xrefs: 0072E920
@, xrefs: 0072E925
SeShutdownPrivilege, xrefs: 0072E902
, xrefs: 0072E95C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ca9701a211129c3d9d2c79782b4e23646f9699185d7d1f36dcf0ca5b1b9c0407
Instruction ID: 1f5b25e05fb655632a776be7fc73766db06731c538ac8a444ef1a00dfaefae09
Opcode Fuzzy Hash: ca9701a211129c3d9d2c79782b4e23646f9699185d7d1f36dcf0ca5b1b9c0407
Instruction Fuzzy Hash: C7012672610330AFEB2422B4BC8ABBF725CA714741F154427F842E20D1E9AC6C808295

Function 00741204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00741276
WSAGetLastError.WSOCK32 ref: 00741283
bind.WSOCK32(00000000,?,00000010), ref: 007412BA
WSAGetLastError.WSOCK32 ref: 007412C5
closesocket.WSOCK32(00000000), ref: 007412F4
listen.WSOCK32(00000000,00000005), ref: 00741303
WSAGetLastError.WSOCK32 ref: 0074130D
closesocket.WSOCK32(00000000), ref: 0074133C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 8d9b6163205dbc2eb214294e3e8b7fe5884c4e67c19236c97acc2468ba431072
Instruction ID: e706e740d603a40433eef5b6279ae6ce7f806422429739e779a127f99c5a1d65
Opcode Fuzzy Hash: 8d9b6163205dbc2eb214294e3e8b7fe5884c4e67c19236c97acc2468ba431072
Instruction Fuzzy Hash: D8414F316002009FD710EF64C499B69BBE6FF46318F58819CD8569F296C7B5ED81CBA1

Function 0072D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006C3A97,?,?,006C2E7F,?,?,?,00000000), ref: 006C3AC2

Part of subcall function 0072E199: GetFileAttributesW.KERNEL32(?,0072CF95), ref: 0072E19A

FindFirstFileW.KERNEL32(?,?), ref: 0072D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0072D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0072D481
FindClose.KERNEL32(00000000), ref: 0072D498
FindClose.KERNEL32(00000000), ref: 0072D4A1

Strings

\*.*, xrefs: 0072D3F2

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: dadfd5b2fd476d9d7d4e37a559d742a0fa7fe66b09aa29e12ed0295f2e535312
Instruction ID: 2def58c4c6ef9ec82eb5def013eea37037a038e476f4992eaee4f82e1b61f0e9
Opcode Fuzzy Hash: dadfd5b2fd476d9d7d4e37a559d742a0fa7fe66b09aa29e12ed0295f2e535312
Instruction Fuzzy Hash: 27317E310083959FC355FF60D855EAF77A9FE91304F408A1DF8D593191EB34AA09876A

Function 006FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006FE645

Strings

1#INF, xrefs: 006FF852
1#IND, xrefs: 006FF83D
1#QNAN, xrefs: 006FF84B
1#SNAN, xrefs: 006FF844

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 127badb2983f73ced833e18bbcbaff3dc4ac0736943225fd6c83417f7e6d81b5
Instruction ID: 1640e73ce96dd42e3b999f50c856cf88e7d2de2626fbb53d3589ad6aef6544f0
Opcode Fuzzy Hash: 127badb2983f73ced833e18bbcbaff3dc4ac0736943225fd6c83417f7e6d81b5
Instruction Fuzzy Hash: 68C22971E086288FDB65CF289D407EAB7B6EF44304F1441EAD94EE7251E779AE818F40

Function 0073648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007364DC
CoInitialize.OLE32(00000000), ref: 00736639
CoCreateInstance.OLE32(0075FCF8,00000000,00000001,0075FB68,?), ref: 00736650
CoUninitialize.OLE32 ref: 007368D4

Strings

.lnk, xrefs: 007364BA, 00736524, 007365E0

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 4c393c78b6ca5f52257bd990c5e95cb41e46c7b516a0a1bb5d9da59ce0356609
Instruction ID: afc143345d403b325c58cf2bb3d30af786a339f706af39f8888c122eac12a123
Opcode Fuzzy Hash: 4c393c78b6ca5f52257bd990c5e95cb41e46c7b516a0a1bb5d9da59ce0356609
Instruction Fuzzy Hash: A0D13A71508301AFD354EF24C881E6BB7E9FF98704F00896DF5958B2A2DB71E905CBA6

Function 007422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007422E8

Part of subcall function 0073E4EC: GetWindowRect.USER32(?,?), ref: 0073E504

GetDesktopWindow.USER32 ref: 00742312
GetWindowRect.USER32(00000000), ref: 00742319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00742355
GetCursorPos.USER32(?), ref: 00742381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007423DF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: e9732c535022bbe77fddce716c0fad4a9e4ecfde0eaca22ff0e1ae849af13b1a
Instruction ID: ab8749777621e80c26a3dfe6efde4279cf31a35cf0ecf33cd810df5cdcea5f9f
Opcode Fuzzy Hash: e9732c535022bbe77fddce716c0fad4a9e4ecfde0eaca22ff0e1ae849af13b1a
Instruction Fuzzy Hash: 7F313F72104315AFC721DF54DC08F9BBBA9FF88314F404A1AF88497182DB78EA19CB96

Function 00739B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00739B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00739C8B

Part of subcall function 00733874: GetInputState.USER32 ref: 007338CB
Part of subcall function 00733874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00733966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00739BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00739C75

Strings

*.*, xrefs: 00739B5D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 239309a74d4b7abccbfdbb1460851aa3a0e7035997e2312fbbdfae868d5992ad
Instruction ID: abbf72a9769a79cf226755aa8d8eb97475d819e359a3699ab06e3e33b7aed869
Opcode Fuzzy Hash: 239309a74d4b7abccbfdbb1460851aa3a0e7035997e2312fbbdfae868d5992ad
Instruction Fuzzy Hash: 2F41B27190420A9FDF55DF64C849BEEBBB5EF05300F244159E905A2192DB749E84CF64

Function 006D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 006D9A4E
GetSysColor.USER32(0000000F), ref: 006D9B23
SetBkColor.GDI32(?,00000000), ref: 006D9B36

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 53f9bbce03e2b117403d098ac0345da07b3a3f72fd4772b2ed0feef1562ac909
Instruction ID: b7410b26b7160a11a9c5c3997583c7d942c800adfb0c1d0cfc77a375f0af6d79
Opcode Fuzzy Hash: 53f9bbce03e2b117403d098ac0345da07b3a3f72fd4772b2ed0feef1562ac909
Instruction Fuzzy Hash: E0A14A71908544FEE728AA3C8C5DEFB26AFDB86350F19420BF902C67D1DA2D9D42C275

Function 00741806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0074304E: inet_addr.WSOCK32(?), ref: 0074307A
Part of subcall function 0074304E: _wcslen.LIBCMT ref: 0074309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0074185D
WSAGetLastError.WSOCK32 ref: 00741884
bind.WSOCK32(00000000,?,00000010), ref: 007418DB
WSAGetLastError.WSOCK32 ref: 007418E6
closesocket.WSOCK32(00000000), ref: 00741915

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 77545af0a3415446acfdd8bd460aedfe72c47f213ce644787b8ea4c9fae89c2f
Instruction ID: ef0b2b18982b64852716cd0a3266ec84649f809f4263ed8c21318036eb527071
Opcode Fuzzy Hash: 77545af0a3415446acfdd8bd460aedfe72c47f213ce644787b8ea4c9fae89c2f
Instruction Fuzzy Hash: BD51A371A00210AFEB10AF24C886F7A77EAEB44718F44845CF91A5F3D3C775AD418BA5

Function 00751C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00751CC0
IsWindowEnabled.USER32 ref: 00751CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00751CDB
IsIconic.USER32 ref: 00751CE9
IsZoomed.USER32 ref: 00751CF7

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4598a7b03b04c27f327a907b5edb4cc388a02daff5aa9e16aebb32af44a0b1b9
Instruction ID: 3b5778fa2f9d7bbe49a6b95253d3a5c4a06744d1869fbda519a4e0433e0b991b
Opcode Fuzzy Hash: 4598a7b03b04c27f327a907b5edb4cc388a02daff5aa9e16aebb32af44a0b1b9
Instruction Fuzzy Hash: 0E21B4317402005FD7218F1AC884FA67BA5EF85327B99805CEC458B351D7BAEC46CBA4

Function 006C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 006C83FA
VUUU, xrefs: 006C843C
ERCP, xrefs: 006C813C
VUUU, xrefs: 00705DF0
VUUU, xrefs: 006C83E8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0ef8db6c512a4774e1955d7789f4234a698d25e3a51415cf3d3dab6edc888b20
Instruction ID: 55507b32d3ea54cd61b994066eda7a44aff503220e863c3c4201dd8a3ef2539d
Opcode Fuzzy Hash: 0ef8db6c512a4774e1955d7789f4234a698d25e3a51415cf3d3dab6edc888b20
Instruction Fuzzy Hash: 71A23D70A0061ACFDF34CF58C954BBEB7B2FB54314F24829AD815A7285EB789D918F90

Function 00728298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007282AA

Strings

|, xrefs: 007282DA
tbx, xrefs: 007284F4
(, xrefs: 007282F0

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbx$|
API String ID: 1659193697-2462544763
Opcode ID: b1f9a96aa9d233e42b3c403038d06503cd8af619e1efc040581a2041c07e6eef
Instruction ID: 767a1a584f10eb7769037600690a205d1ab09091b208b5835221d0acf7f19600
Opcode Fuzzy Hash: b1f9a96aa9d233e42b3c403038d06503cd8af619e1efc040581a2041c07e6eef
Instruction Fuzzy Hash: 6F324474A00615DFCB68CF59D080A6AB7F0FF48710B15C56EE49ADB3A2EB74E981CB44

Function 0072AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0072AAAC
SetKeyboardState.USER32(00000080), ref: 0072AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0072AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0072AB88

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6ef7d41091d959e7e1295886167cadc6e29b037a381b3c413432d1f44e288136
Instruction ID: 34630c71a5837f6c5304b09cfca8b6b95aa24e646fa023ce3a07308ea854c303
Opcode Fuzzy Hash: 6ef7d41091d959e7e1295886167cadc6e29b037a381b3c413432d1f44e288136
Instruction Fuzzy Hash: E131F6B0A40368BFFF358A64AC09BFA7BA6EF44310F04821AF581965D1D37D8985C766

Function 006FBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006FBB7F

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

GetTimeZoneInformation.KERNEL32 ref: 006FBB91
WideCharToMultiByte.KERNEL32(00000000,?,0079121C,000000FF,?,0000003F,?,?), ref: 006FBC09
WideCharToMultiByte.KERNEL32(00000000,?,00791270,000000FF,?,0000003F,?,?,?,0079121C,000000FF,?,0000003F,?,?), ref: 006FBC36

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 5132bee5d5c1ef29f42a0999e19d9b650fa70c463dd586e9051146ce642c15a5
Instruction ID: ecd06cfbbe420d22570797206af32eed3deeb2a80b1e51726f395726fe4468b7
Opcode Fuzzy Hash: 5132bee5d5c1ef29f42a0999e19d9b650fa70c463dd586e9051146ce642c15a5
Instruction Fuzzy Hash: B731E171A0420ADFCB01EF68DC8097EBBBAFF4531071492AAE220D73A1CB309D11CB54

Function 0073CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0073CE89
GetLastError.KERNEL32(?,00000000), ref: 0073CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0073CEFE

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c6449ad1a9b958e60b207ad669b00fbbefa90d6208fd6178553b4893a1dc06b3
Instruction ID: 76e11d8aa1d1a7c86dd256173aa424190b3d85a4defc079a43ec346bf5feb03f
Opcode Fuzzy Hash: c6449ad1a9b958e60b207ad669b00fbbefa90d6208fd6178553b4893a1dc06b3
Instruction Fuzzy Hash: D621CFB2540705AFE722DF65C948BA777FCEB00314F10841EE546E2152E778EE04CB54

Function 00735C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00735CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00735D17
FindClose.KERNEL32(?), ref: 00735D5F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 3236ea680a4004a4ef3bcadd14e4b06f0f5f71f752926524f1847cbeb781b6a7
Instruction ID: 87098f6d535e6f3f1944a12ac90354731d38121779a3450fd70b6a476f14f10e
Opcode Fuzzy Hash: 3236ea680a4004a4ef3bcadd14e4b06f0f5f71f752926524f1847cbeb781b6a7
Instruction Fuzzy Hash: 67518874604B019FD714CF28C494E9AB7E5FF49324F14855EE99A8B3A2CB34ED05CB91

Function 006F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 006F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 006F2731

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1dd17893e18f026c24c9b414b7912e83e489c9e9b303864465198e3d2e165497
Instruction ID: 0cb07830281f6a08329d01308b21cc3502a969e327ab38f10f7b7e342ab00bf2
Opcode Fuzzy Hash: 1dd17893e18f026c24c9b414b7912e83e489c9e9b303864465198e3d2e165497
Instruction Fuzzy Hash: BB31B27490131D9BCB61DF69DC887D8BBB9BF08310F5041EAE50CA6261E7749F818F49

Function 007351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00735238
SetErrorMode.KERNEL32(00000000), ref: 007352A1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4439454dc1151bf7345387cf45256b0072d081c536bfcc821f9b741da414b96f
Instruction ID: f219486e7daaac7fda8e508999797fc47f40d9858467c86ed40237d649805f72
Opcode Fuzzy Hash: 4439454dc1151bf7345387cf45256b0072d081c536bfcc821f9b741da414b96f
Instruction Fuzzy Hash: A1314C75A00618DFDB00DF54D888FAEBBB5FF48314F088099E805AB362DB75E856CB94

Function 007216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006E0668
Part of subcall function 006DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0072170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0072173A
GetLastError.KERNEL32 ref: 0072174A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 1a47e8cdc8e2aef0a6acde8722bdfb8c10735c046ee686fd9304142e0f4a925b
Instruction ID: f8a9366ad2b33de8917caca156655924ef177ad94f9e62a867f21dd9e1bc1383
Opcode Fuzzy Hash: 1a47e8cdc8e2aef0a6acde8722bdfb8c10735c046ee686fd9304142e0f4a925b
Instruction Fuzzy Hash: B01191B2804308AFD7189F54EC86EABB7BAFF44725B20852EE05657241EB74BC418B24

Function 0072D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0072D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0072D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0072D650

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: fd044a92e9be8b89b6584f31c93460dd4a2fa0e59a0b42f910b301aa4b906bd1
Instruction ID: 462b7c421c6b348324c0491f59a6eab653ce1d10a3276c352c3c1a6a8ef4eb45
Opcode Fuzzy Hash: fd044a92e9be8b89b6584f31c93460dd4a2fa0e59a0b42f910b301aa4b906bd1
Instruction Fuzzy Hash: A9117C71E01328BFDB208F94AC44FAFBBBCEB45B50F108115F914E7290C2B44A018BA1

Function 00721663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0072168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007216A1
FreeSid.ADVAPI32(?), ref: 007216B1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8254781409281eb5e44f6ac01cdc59953081c157a7306f6e5c96b7603bc855cb
Instruction ID: 6d3549e93b1b6627ee152bfa434beacfe2db49b237b38907af370fa99aca7c6c
Opcode Fuzzy Hash: 8254781409281eb5e44f6ac01cdc59953081c157a7306f6e5c96b7603bc855cb
Instruction Fuzzy Hash: 6DF0F471950309FFDB00DFE49C89AAEBBBCFB08605F508565E601E2181E778AA448A54

Function 0071D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0071D28C

Strings

X64, xrefs: 0071D2A8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 0eac50dfd68a80c055741ddb786c1fda6f3d005a4e2e4d7b317c299a8dd79e61
Instruction ID: 05ad6ce7423de2cb01268092597384d2fd0145d8edca1302fd19834dfade000c
Opcode Fuzzy Hash: 0eac50dfd68a80c055741ddb786c1fda6f3d005a4e2e4d7b317c299a8dd79e61
Instruction Fuzzy Hash: 82D0C9B480121DEECF90DB90DC88DD9B3BCBB04305F104152F106A2140D77895498F10

Function 006ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: b690dcba8dfa86a717ec1ab709e09a6c43bebce9b52b76b57260f61fd1f57beb
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 62022C71E012599FDF14CFA9C8806EEBBF2EF48724F254169D919EB380D731A942CB94

Function 006CCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#y, xrefs: 006CCF7F
Variable is not of type 'Object'., xrefs: 00710C40

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#y
API String ID: 0-2013953717
Opcode ID: 16f3d36585aca7920b65bda14ac35c7e180d3158692b6d9a8fd00e195303dc9c
Instruction ID: f6a25004e41542235ecac608db8f04e29bfba0faf5cab2d924d220ec23323c56
Opcode Fuzzy Hash: 16f3d36585aca7920b65bda14ac35c7e180d3158692b6d9a8fd00e195303dc9c
Instruction Fuzzy Hash: 7F3248709002189BCF14DF94C895FFDB7B6FF05314F14805DE81AAB292D775AA86CBA4

Function 007368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00736918
FindClose.KERNEL32(00000000), ref: 00736961

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 03b0103fd0a8e315631ba381fd8b771e88bfa5d0c76342d5fc3a2828ae18faeb
Instruction ID: 727b5d46b0a9d2b8ed499edaad714e70d2e861cd161cd5b726273bd6c23e474b
Opcode Fuzzy Hash: 03b0103fd0a8e315631ba381fd8b771e88bfa5d0c76342d5fc3a2828ae18faeb
Instruction Fuzzy Hash: D5118E71604210AFD710DF29D484B26BBE5FF85329F14C69DE4698F6A2CB74EC05CB91

Function 007337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00744891,?,?,00000035,?), ref: 007337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00744891,?,?,00000035,?), ref: 007337F4

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6122282abf57ef656d7614e386b907598d3a6e0db3763c61277de23564da39fe
Instruction ID: 12c7a38995f4e0c2543541aebd6b246b12b22c747dbf13a7413bce00e5f45241
Opcode Fuzzy Hash: 6122282abf57ef656d7614e386b907598d3a6e0db3763c61277de23564da39fe
Instruction Fuzzy Hash: 58F0E5B06053296AE72017668C8DFEB3AAEEFC4761F000265F509D2291D9B49904C7B0

Function 0072B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0072B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0072B270

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 355963c607df978cec5cd026a7e6acdd2e1b5be566b5c73f49b7416af25b191f
Instruction ID: 3858379173afbf21e9251c3e20c94750bfd3fb60a04df5673e72b432cb9e5763
Opcode Fuzzy Hash: 355963c607df978cec5cd026a7e6acdd2e1b5be566b5c73f49b7416af25b191f
Instruction Fuzzy Hash: FDF0F97180434DABDB059FA0D805BEE7BB4FF08305F108409E955A5192D37D86119F94

Function 007210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007211FC), ref: 007210D4
CloseHandle.KERNEL32(?,?,007211FC), ref: 007210E9

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2d5f814eac433b1035653d11ba0bc2e8632c4c6ef967e8b0ba951fdce02bf958
Instruction ID: 8c52294ab3978b0935615b1ea9c0d6e854260d04c173ab376a69d64611c68334
Opcode Fuzzy Hash: 2d5f814eac433b1035653d11ba0bc2e8632c4c6ef967e8b0ba951fdce02bf958
Instruction Fuzzy Hash: 31E04F32004710AEE7262B51FC05FB377AAEF04311B10C82EF4A6804B1DBA26C90DB54

Function 006F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006F6766,?,?,00000008,?,?,006FFEFE,00000000), ref: 006F6998

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: afa5f4f020fb0e000ac7f8dd02cad2d39cd2596be0a02d7488cf6edcc136b8b9
Instruction ID: 4d9841819c892a49b7d057be1f398f8db6809b66aac9516c3da222cf37165864
Opcode Fuzzy Hash: afa5f4f020fb0e000ac7f8dd02cad2d39cd2596be0a02d7488cf6edcc136b8b9
Instruction Fuzzy Hash: EEB15B316106099FD715CF28C48ABA57BE1FF05364F25865CF9AACF2A2C335E982CB40

Function 006DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0071851F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 012dd65d596b521ef6003f6d59816f94ca61f288d2f8835ada339c670b34b281
Instruction ID: 9808357bacf45f036593091213ee4cb7774601776ff82e2de3995e83a966eb7e
Opcode Fuzzy Hash: 012dd65d596b521ef6003f6d59816f94ca61f288d2f8835ada339c670b34b281
Instruction Fuzzy Hash: 05124F71D00229DBCB64CF58C881AEEB7F5FF48710F15819AE849EB355DB349A81CB91

Function 0073EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0073EABD

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 99fa2afa577c8da0829f6bea409680294d5e29842562a916378c8f5c9b798ea3
Instruction ID: 0a3130bb41e838daf4d918fe5d555f442165938416033a4c5a3deda3c7af6798
Opcode Fuzzy Hash: 99fa2afa577c8da0829f6bea409680294d5e29842562a916378c8f5c9b798ea3
Instruction Fuzzy Hash: DFE01A312002059FD710EF59D805EAAB7E9EF98760F00C41EFC49C7391DAB4A8418B94

Function 006E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006E03EE), ref: 006E09DA

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0a7815e0a35a113063c278c660eeafbead67f273c6fca067ecec9fcf27dc45e8
Instruction ID: 04efd7fa95d26c5d0828ab01d2569d4ec1399c705c92a78407d708775b6b2b14
Opcode Fuzzy Hash: 0a7815e0a35a113063c278c660eeafbead67f273c6fca067ecec9fcf27dc45e8
Instruction Fuzzy Hash:

Function 006E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 006E798B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2bcc3ff0da5e74c2ab193bc385cf7283bd96d9ce02070b93a6df7ee59438a616
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B751567161F7C55ADB38856B885A7FF238B9F22340F18052AE886C7383CA15DE06D35A

Function 00732046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&y, xrefs: 00732053

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: 0&y
API String ID: 0-825062974
Opcode ID: ca9f9217017af7823db351442ebb9f229c84eef8775cc6c9c51be82563a0cef2
Instruction ID: ef4d12623a3f8b90115df1f8434ee52f26ff1e2cb725684b0507cdd64bb104b3
Opcode Fuzzy Hash: ca9f9217017af7823db351442ebb9f229c84eef8775cc6c9c51be82563a0cef2
Instruction Fuzzy Hash: CA21A5326216118BDB2CCE79C82367E73E5A754310F15862EE4A7C77D2DE3AA905CB84

Function 006F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729ed830d25505a153ac24446a90eff8b77e35f0b9e74a96713f6fc845d01461
Instruction ID: 79d11afd7240137aafa4605fea4690e8bc39110c55387ce49004b974c59995f8
Opcode Fuzzy Hash: 729ed830d25505a153ac24446a90eff8b77e35f0b9e74a96713f6fc845d01461
Instruction Fuzzy Hash: 67323332D29F054DD7639634CC22335A28AAFB73C5F15D737E81AB5AAAEF69C4834100

Function 006DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc3e8ab7804dd8d59470a36cec1f95bd56a44d12c73ab7dd477f6d9829459f3
Instruction ID: 3ef4129492a3f2ab1c79305550e903ee4254a2eb96280bc26fa5691c81d54db8
Opcode Fuzzy Hash: bdc3e8ab7804dd8d59470a36cec1f95bd56a44d12c73ab7dd477f6d9829459f3
Instruction Fuzzy Hash: 28322431A8410A8BCF2ACEACC5946FD7BA2EF45310F28816BD5899B3D1D638DDC1DB51

Function 006C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764b765c2a1f159db3e0033065cb10c997051498f4f4cd4ff9e7b1cbef511046
Instruction ID: d150e102e1ecd079dbb8c06f319663f7f5c098ff451ec7b4625b690cb4e63ab3
Opcode Fuzzy Hash: 764b765c2a1f159db3e0033065cb10c997051498f4f4cd4ff9e7b1cbef511046
Instruction Fuzzy Hash: 44226CB0A0460ADBDF14CFA5C841AAEB7F6FF44300F24462DE816A7291EB399D55CF54

Function 006C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ce8f0374f3344b45f99ac36c3c951fb705e8c988c54f306079ea0b0f0cfc08
Instruction ID: f9db1cf9dc7a97c665ea27ad56b8815420746ffc2ad018cd2af7d36e50526845
Opcode Fuzzy Hash: 15ce8f0374f3344b45f99ac36c3c951fb705e8c988c54f306079ea0b0f0cfc08
Instruction Fuzzy Hash: 9602A6B1E00205EBDB04DF54D881BAEB7F2FF44300F508569E8569B391EB35AE51CB95

Function 006F9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a2c8687c2310f036ab143d4e15e3394329927ae871124fd51e2818c3515877
Instruction ID: 6a32d6a168fc2197522d0f2f508f083e4fb1f253f0954b9bce0f60b591d8bf0c
Opcode Fuzzy Hash: b3a2c8687c2310f036ab143d4e15e3394329927ae871124fd51e2818c3515877
Instruction Fuzzy Hash: 9CB1F320D2AF404DD723963A8831336B65CAFBB6D5F51D71BFC1B74E62EB2585838144

Function 006E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 642877599b5e2b8116f8ffb6fc11b7161ef992de3496408946088e9801705d61
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 7A91787260A2E34AD729463B85340BDFFE25E533A1319079DE4F2CE2C5EE348555F620

Function 006E1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: a6849bc0815f371a99e7445ea624d0ee62fb818be05265afb73cac450e609d29
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: E0917A7250A2E349D729423B84740BDFFE75A933A131A079DD5F2CF2C5EE248655E620

Function 006E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c43690345e6edb1c268830a0c6e99043c0bbdcabed2a2161ef2e94a37b1a0ac8
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B891427260A2E34ADB29467F857407DFEE25A933A131A07AED4F2CE2C1FD348555F620

Function 006E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37056d4cf11e7a2263fbdf887004ebd98c820bc9b054756a238b0a7abf231871
Instruction ID: 62b42792e89d397f1817adc78d11c3ff99e8645b75290b710938d46b645d09ff
Opcode Fuzzy Hash: 37056d4cf11e7a2263fbdf887004ebd98c820bc9b054756a238b0a7abf231871
Instruction Fuzzy Hash: 9961787160A7C99ADA349E2F8D95BFE339BDF51700F20092EE842CB3C1DA119E438319

Function 006E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99fad21f04a0c156abbcaf50b11166da47757286053ac067719675115ec6c1a
Instruction ID: 784bd851e4661e4007b29d79a5a79a9e76b7d52bcf879c1aee7eb9d4ef301c91
Opcode Fuzzy Hash: d99fad21f04a0c156abbcaf50b11166da47757286053ac067719675115ec6c1a
Instruction Fuzzy Hash: CF617B7160A7C966DE384A2B9C95BFF238BDF42740F24095DE942DB3C1EA129D438359

Function 006E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 518224ceed5b22fcd54f78f8aceab9bacf8b8de2b4ff1d247c50d00478c9233d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8981417260A1E34ADB69423B85744BEFFE35A933A131A079DD4F2CE2C1EE348554F620

Function 00742ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00742B30
DeleteObject.GDI32(00000000), ref: 00742B43
DestroyWindow.USER32 ref: 00742B52
GetDesktopWindow.USER32 ref: 00742B6D
GetWindowRect.USER32(00000000), ref: 00742B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00742CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00742CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742CF8
GetClientRect.USER32(00000000,?), ref: 00742D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00742D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742D80
GlobalLock.KERNEL32(00000000), ref: 00742D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742D98
GlobalUnlock.KERNEL32(00000000), ref: 00742DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742DA8
GlobalFree.KERNEL32(00000000), ref: 00742DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0075FC38,00000000), ref: 00742DDB
GlobalFree.KERNEL32(00000000), ref: 00742DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00742E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00742E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0074303F

Strings

static, xrefs: 00742D3A, 00742E91
DISPLAY, xrefs: 00742EA2
AutoIt v3, xrefs: 00742CF2
, xrefs: 00742FC5

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: be83fc854747b4a331899b237ddc8d30e55a74c8c67d097d6e9ca4bfad44b008
Instruction ID: 680b8504e533a19c892c2d205c465f55cf3112eb19b0fc1991e792d35d1aac25
Opcode Fuzzy Hash: be83fc854747b4a331899b237ddc8d30e55a74c8c67d097d6e9ca4bfad44b008
Instruction Fuzzy Hash: AE026A71900209AFDB15DF64CC89FAE7BBAEB48711F408158F915AB2A1DB78ED01CF64

Function 007570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0075712F
GetSysColorBrush.USER32(0000000F), ref: 00757160
GetSysColor.USER32(0000000F), ref: 0075716C
SetBkColor.GDI32(?,000000FF), ref: 00757186
SelectObject.GDI32(?,?), ref: 00757195
InflateRect.USER32(?,000000FF,000000FF), ref: 007571C0
GetSysColor.USER32(00000010), ref: 007571C8
CreateSolidBrush.GDI32(00000000), ref: 007571CF
FrameRect.USER32(?,?,00000000), ref: 007571DE
DeleteObject.GDI32(00000000), ref: 007571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00757230
FillRect.USER32(?,?,?), ref: 00757262
GetWindowLongW.USER32(?,000000F0), ref: 00757284

Part of subcall function 007573E8: GetSysColor.USER32(00000012), ref: 00757421
Part of subcall function 007573E8: SetTextColor.GDI32(?,?), ref: 00757425
Part of subcall function 007573E8: GetSysColorBrush.USER32(0000000F), ref: 0075743B
Part of subcall function 007573E8: GetSysColor.USER32(0000000F), ref: 00757446
Part of subcall function 007573E8: GetSysColor.USER32(00000011), ref: 00757463
Part of subcall function 007573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00757471
Part of subcall function 007573E8: SelectObject.GDI32(?,00000000), ref: 00757482
Part of subcall function 007573E8: SetBkColor.GDI32(?,00000000), ref: 0075748B
Part of subcall function 007573E8: SelectObject.GDI32(?,?), ref: 00757498
Part of subcall function 007573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007574B7
Part of subcall function 007573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007574CE
Part of subcall function 007573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007574DB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 28b2af96273c1fc03de142cf7bb4354f7e1ee87f733d6cc7fdf75209be0e642a
Instruction ID: c24bf1286cf0ee28fd18b518fbe4023281493a021877597237369e65c3ba96e1
Opcode Fuzzy Hash: 28b2af96273c1fc03de142cf7bb4354f7e1ee87f733d6cc7fdf75209be0e642a
Instruction Fuzzy Hash: ACA1B172008305FFD7069F60DC48B9B7BA9FB88322F104A19F962961E1D7B9E944CB55

Function 006D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 006D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00716AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00716AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00716F43

Part of subcall function 006D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006D8BE8,?,00000000,?,?,?,?,006D8BBA,00000000,?), ref: 006D8FC5

SendMessageW.USER32(?,00001053), ref: 00716F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00716F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00716FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00716FB7

Strings

0, xrefs: 00716DCF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b27656666c93e4dce2f6dc04a7a876ad2500a96a5ca03003e58ba21593b930c2
Instruction ID: a098e4c0f4cfa7c2a3ee94f4fba82ef036686730b36ad895fe6372cff48c752c
Opcode Fuzzy Hash: b27656666c93e4dce2f6dc04a7a876ad2500a96a5ca03003e58ba21593b930c2
Instruction Fuzzy Hash: B512AD30604241DFDB26CF28D848BE5B7E6FB44310F54856AE5858B2A1CB39ECA2DF95

Function 00742711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0074273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0074286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00742900
GetClientRect.USER32(00000000,?), ref: 0074290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00742955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00742964
GetStockObject.GDI32(00000011), ref: 00742974
SelectObject.GDI32(00000000,00000000), ref: 00742978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00742988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00742991
DeleteDC.GDI32(00000000), ref: 0074299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00742A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00742A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00742A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00742A77
GetStockObject.GDI32(00000011), ref: 00742A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00742A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00742A97

Strings

msctls_progress32, xrefs: 00742A13
static, xrefs: 0074294F, 00742A71
DISPLAY, xrefs: 0074295A
AutoIt v3, xrefs: 007428F8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8c20652afbc73aed4ea57e73af12ee00a9789785368051ee393ac03dd21e70f3
Instruction ID: d53d789e3220643691526e451e3b39807fddadf3a2178baadfba0fa99e925e0e
Opcode Fuzzy Hash: 8c20652afbc73aed4ea57e73af12ee00a9789785368051ee393ac03dd21e70f3
Instruction Fuzzy Hash: 17B16DB1A00209AFEB14DF68CC4AFAE7BB9EB08711F408119F914E7291D7B8ED51CB54

Function 00734ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00734AED
GetDriveTypeW.KERNEL32(?,0075CB68,?,\\.\,0075CC08), ref: 00734BCA
SetErrorMode.KERNEL32(00000000,0075CB68,?,\\.\,0075CC08), ref: 00734D36

Strings

Virtual, xrefs: 00734CE5
PhysicalDrive, xrefs: 00734B76
MMC, xrefs: 00734CDE
Fibre, xrefs: 00734CAD
SCSI, xrefs: 00734C8A
ATA, xrefs: 00734C98
RAID, xrefs: 00734CBB
SAS, xrefs: 00734CC9
RAMDisk, xrefs: 00734BF4
SSD, xrefs: 00734C4A
USB, xrefs: 00734CB4
SSA, xrefs: 00734CA6
FileBackedVirtual, xrefs: 00734CEC
SATA, xrefs: 00734CD0
Removable, xrefs: 00734C10, 00734C15
ATAPI, xrefs: 00734C91
Unknown, xrefs: 00734BED, 00734C83
Fixed, xrefs: 00734C09
iSCSI, xrefs: 00734CC2
1394, xrefs: 00734C9F
Network, xrefs: 00734C02
\\.\, xrefs: 00734B3F
CDROM, xrefs: 00734BFB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 935069d0b15c63b483e895f70ab4d96fe73250bc80fbfa77adeea8ca647b2d0d
Instruction ID: 0c70264eda2142dd4cf19cf22599feef0c08ea1b333a8052edbc762e5c1bd52e
Opcode Fuzzy Hash: 935069d0b15c63b483e895f70ab4d96fe73250bc80fbfa77adeea8ca647b2d0d
Instruction Fuzzy Hash: 1161B070746205ABEB08EF24CA95EB8B7B1EB04300F249419F806AB653DB7DFD41DB65

Function 007573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00757421
SetTextColor.GDI32(?,?), ref: 00757425
GetSysColorBrush.USER32(0000000F), ref: 0075743B
GetSysColor.USER32(0000000F), ref: 00757446
CreateSolidBrush.GDI32(?), ref: 0075744B
GetSysColor.USER32(00000011), ref: 00757463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00757471
SelectObject.GDI32(?,00000000), ref: 00757482
SetBkColor.GDI32(?,00000000), ref: 0075748B
SelectObject.GDI32(?,?), ref: 00757498
InflateRect.USER32(?,000000FF,000000FF), ref: 007574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0075752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00757554
InflateRect.USER32(?,000000FD,000000FD), ref: 00757572
DrawFocusRect.USER32(?,?), ref: 0075757D
GetSysColor.USER32(00000011), ref: 0075758E
SetTextColor.GDI32(?,00000000), ref: 00757596
DrawTextW.USER32(?,007570F5,000000FF,?,00000000), ref: 007575A8
SelectObject.GDI32(?,?), ref: 007575BF
DeleteObject.GDI32(?), ref: 007575CA
SelectObject.GDI32(?,?), ref: 007575D0
DeleteObject.GDI32(?), ref: 007575D5
SetTextColor.GDI32(?,?), ref: 007575DB
SetBkColor.GDI32(?,?), ref: 007575E5

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6ec2f31646b64baa0e28d644c74b1c217fe647c17d40789e66b8af3c91c33eb2
Instruction ID: 0391dfb387080c3338cfd531ecdabce93ad80c75768fb9ac642938ab0b228c91
Opcode Fuzzy Hash: 6ec2f31646b64baa0e28d644c74b1c217fe647c17d40789e66b8af3c91c33eb2
Instruction Fuzzy Hash: 2E616E72900318AFDF059FA4DC49FEE7FB9EB08322F118115F915AB2A1D7B99940CB94

Function 00750FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00751128
GetDesktopWindow.USER32 ref: 0075113D
GetWindowRect.USER32(00000000), ref: 00751144
GetWindowLongW.USER32(?,000000F0), ref: 00751199
DestroyWindow.USER32(?), ref: 007511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0075120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0075121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00751232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00751245
IsWindowVisible.USER32(00000000), ref: 007512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007512D0
GetWindowRect.USER32(00000000,?), ref: 007512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0075130E
GetMonitorInfoW.USER32(00000000,?), ref: 00751328
CopyRect.USER32(?,?), ref: 0075133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007513AA

Strings

tooltips_class32, xrefs: 007511E6
0, xrefs: 007510D3
(, xrefs: 0075131B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 38387c0bbc94eb53318b7989bf03a0fc8e13ca804c90b63f972571e2db348d88
Instruction ID: 5239de9343e7be4fefe6e2be3933deacb9312fab8d02509c874e5bad0a572568
Opcode Fuzzy Hash: 38387c0bbc94eb53318b7989bf03a0fc8e13ca804c90b63f972571e2db348d88
Instruction Fuzzy Hash: 6CB1AC71604340AFD740DF64C884FAABBE5FF84342F40891CF9999B2A1DBB5E848CB95

Function 006D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006D8968
GetSystemMetrics.USER32(00000007), ref: 006D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006D899B
GetSystemMetrics.USER32(00000008), ref: 006D89A3
GetSystemMetrics.USER32(00000004), ref: 006D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 006D8A5A
GetStockObject.GDI32(00000011), ref: 006D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 006D8A81

Part of subcall function 006D912D: GetCursorPos.USER32(?), ref: 006D9141
Part of subcall function 006D912D: ScreenToClient.USER32(00000000,?), ref: 006D915E
Part of subcall function 006D912D: GetAsyncKeyState.USER32(00000001), ref: 006D9183
Part of subcall function 006D912D: GetAsyncKeyState.USER32(00000002), ref: 006D919D

SetTimer.USER32(00000000,00000000,00000028,006D90FC), ref: 006D8AA8

Strings

AutoIt v3 GUI, xrefs: 006D8A20

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 58f87c71af0f52b447a1c96f6e33cecfe0260a0a856172ff3aa69c24c10463c2
Instruction ID: e5c15db04dadc9a3c473e54c09473fc23ba2648fc1801f6a4e3aa8acc8ff9bfd
Opcode Fuzzy Hash: 58f87c71af0f52b447a1c96f6e33cecfe0260a0a856172ff3aa69c24c10463c2
Instruction Fuzzy Hash: C6B18075A0030A9FDB14DFA8CC49BEE3BB5FB48315F11811AFA15AB2D0DB78A851CB54

Function 00720D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00721114
Part of subcall function 007210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721120
Part of subcall function 007210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 0072112F
Part of subcall function 007210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721136
Part of subcall function 007210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0072114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00720DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00720E29
GetLengthSid.ADVAPI32(?), ref: 00720E40
GetAce.ADVAPI32(?,00000000,?), ref: 00720E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00720E96
GetLengthSid.ADVAPI32(?), ref: 00720EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00720EB5
HeapAlloc.KERNEL32(00000000), ref: 00720EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00720EDD
CopySid.ADVAPI32(00000000), ref: 00720EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00720F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00720F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00720F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720F6E
HeapFree.KERNEL32(00000000), ref: 00720F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720F7E
HeapFree.KERNEL32(00000000), ref: 00720F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720F8E
HeapFree.KERNEL32(00000000), ref: 00720F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00720FA1
HeapFree.KERNEL32(00000000), ref: 00720FA8

Part of subcall function 00721193: GetProcessHeap.KERNEL32(00000008,00720BB1,?,00000000,?,00720BB1,?), ref: 007211A1
Part of subcall function 00721193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00720BB1,?), ref: 007211A8
Part of subcall function 00721193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00720BB1,?), ref: 007211B7

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bb2858ced5fc044366d9df3ceb4492625f119dcdb6fb7f78753743ddb05dc7f3
Instruction ID: de7e2d4404e0c618eeaf04ed54fdbbf665f672043709be6cbe5c71c12f106b53
Opcode Fuzzy Hash: bb2858ced5fc044366d9df3ceb4492625f119dcdb6fb7f78753743ddb05dc7f3
Instruction Fuzzy Hash: 60715F7290031AAFDF219FA4ED45BEEBBB8FF04311F048115F919A6191D7799A05CBB0

Function 0074C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0075CC08,00000000,?,00000000,?,?), ref: 0074C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0074C5A4
_wcslen.LIBCMT ref: 0074C5F4
_wcslen.LIBCMT ref: 0074C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0074C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0074C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0074C84D
RegCloseKey.ADVAPI32(?), ref: 0074C881
RegCloseKey.ADVAPI32(00000000), ref: 0074C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0074C960

Strings

REG_BINARY, xrefs: 0074C913
REG_MULTI_SZ, xrefs: 0074C6F5
REG_EXPAND_SZ, xrefs: 0074C5CD
REG_QWORD, xrefs: 0074C8C3
REG_DWORD, xrefs: 0074C804
REG_SZ, xrefs: 0074C644

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a69da932201ee6c5e8b96aea66e2c8c5fb531cdab2e1e699a220fcf4ef8efb52
Instruction ID: 54c856e5d32fe4c32bc3d84395a1deb0ca486befccbc9ab81de2b6676b911f94
Opcode Fuzzy Hash: a69da932201ee6c5e8b96aea66e2c8c5fb531cdab2e1e699a220fcf4ef8efb52
Instruction Fuzzy Hash: 0F1259356042019FD755DF24C881F2AB7E6EF88724F14889DF84A9B3A2DB35ED41CB89

Function 0075091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007509C6
_wcslen.LIBCMT ref: 00750A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00750A54
_wcslen.LIBCMT ref: 00750A8A
_wcslen.LIBCMT ref: 00750B06
_wcslen.LIBCMT ref: 00750B81

Part of subcall function 006DF9F2: _wcslen.LIBCMT ref: 006DF9FD

Part of subcall function 00722BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00722BFA

Strings

UNCHECK, xrefs: 00750D3E
GETTOTALCOUNT, xrefs: 007509F2, 00750A17
SELECT, xrefs: 00750D11
EXPAND, xrefs: 00750BF8
CHECK, xrefs: 00750A85, 00750AA0
COLLAPSE, xrefs: 00750B01, 00750B1C
EXISTS, xrefs: 00750B7C, 00750B97
GETTEXT, xrefs: 00750C97
GETSELECTED, xrefs: 00750C4E
GETITEMCOUNT, xrefs: 00750C1E
ISCHECKED, xrefs: 00750CE1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d1204db20f1b6ff894cd52cb851d27e65f900c5da8fa67ba121613da0b86894e
Instruction ID: 4ce4c31710e4ce36e3898233aa75fd2d80aaf0e0656354fdf0737cb7118bce50
Opcode Fuzzy Hash: d1204db20f1b6ff894cd52cb851d27e65f900c5da8fa67ba121613da0b86894e
Instruction Fuzzy Hash: 91E1BC716083019FC714EF24C4909AAB7E2FF88315B14895DF8969B362DB78ED4ACBC1

Function 0074C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
_wcslen.LIBCMT ref: 0074C9F1
_wcslen.LIBCMT ref: 0074CA68
_wcslen.LIBCMT ref: 0074CA9E
_wcslen.LIBCMT ref: 0074CAF9
_wcslen.LIBCMT ref: 0074CB2F
_wcslen.LIBCMT ref: 0074CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 0074CAF3, 0074CAF8
HKCR, xrefs: 0074CB29, 0074CB2E
HKEY_LOCAL_MACHINE, xrefs: 0074CA62, 0074CA67
HKEY_USERS, xrefs: 0074CBDF
HKEY_CURRENT_USER, xrefs: 0074CBBD
HKEY_CURRENT_CONFIG, xrefs: 0074CB79, 0074CB7E
HKLM, xrefs: 0074CA98, 0074CA9D
HKCC, xrefs: 0074CBAC
HKU, xrefs: 0074CBF0
HKCU, xrefs: 0074CBCE

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 31d627906e380d1d374375903b60a90e97eb511ca5cc95437983cd71b90b2770
Instruction ID: 6bbcc87db4adb7d5b06e5af3989f4944de215dadf4bf86125d6c4f33d84759d7
Opcode Fuzzy Hash: 31d627906e380d1d374375903b60a90e97eb511ca5cc95437983cd71b90b2770
Instruction Fuzzy Hash: A371283270216A8BCB92DE7CCC415BE3392EF60754B254529FC66A7284EB3DCD44C3A4

Function 0075833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0075835A
_wcslen.LIBCMT ref: 0075836E
_wcslen.LIBCMT ref: 00758391
_wcslen.LIBCMT ref: 007583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0075361A,?), ref: 0075844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00758487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00758501
FreeLibrary.KERNEL32(?), ref: 0075850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0075851D
DestroyIcon.USER32(?), ref: 0075852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00758549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00758555

Strings

.exe, xrefs: 00758388
.icl, xrefs: 00758368
.dll, xrefs: 007583AB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: bfde5d2ccec8cb1d21200bb2234a3e6b09fd571c57ac064c98ed00cbb8f8c89c
Instruction ID: fb62cbd9cc1bb00dcbb8bd912bbc36c671cfdff0a1980e6d26fce59ff84c77a9
Opcode Fuzzy Hash: bfde5d2ccec8cb1d21200bb2234a3e6b09fd571c57ac064c98ed00cbb8f8c89c
Instruction Fuzzy Hash: 8F61CD71900305BFEB549F64CC81BFE77A8AB04722F108509FC15E60D1EFB8A994CBA4

Function 006C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 006C78D9
", xrefs: 00705153
#cs, xrefs: 006C7873, 006C78C5
', xrefs: 00705169
#include-once, xrefs: 006C782F
#OnAutoItStartRegister, xrefs: 006C7817
Cannot parse #include, xrefs: 00705279
#notrayicon, xrefs: 006C77E7
#pragma compile, xrefs: 006C77D3
#include, xrefs: 006C7847
#requireadmin, xrefs: 006C77FF
Bad directive syntax error, xrefs: 0070519A
#ce, xrefs: 006C78ED
Unterminated group of comments, xrefs: 0070528C
#comments-start, xrefs: 006C785F, 006C78B1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f131815877c440861bffefa52c49e05b1cf685a145936e904089fe933d404e79
Instruction ID: 042238ec74e03a3ded276b16179526dc615211e24ef9e250f53c7dc5ae062b00
Opcode Fuzzy Hash: f131815877c440861bffefa52c49e05b1cf685a145936e904089fe933d404e79
Instruction Fuzzy Hash: F581E7B1645209BBDB20AF60CC42FBF37AAEF15300F04402DF905AB292EB74D915CBA5

Function 00733E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00733EF8
_wcslen.LIBCMT ref: 00733F03
_wcslen.LIBCMT ref: 00733F5A
_wcslen.LIBCMT ref: 00733F98
GetDriveTypeW.KERNEL32(?), ref: 00733FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00734059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00734087

Strings

open , xrefs: 00733FE5
close cd wait, xrefs: 00734072
close, xrefs: 00733EFE, 00733F18
wait, xrefs: 00734044
set cd door , xrefs: 00734028
open, xrefs: 00733F54, 00733F59
closed, xrefs: 00733F08, 00733F2D, 00733F46, 00733F7E, 00733F97
type cdaudio alias cd wait, xrefs: 00734001

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: be0a667704750dc6602cabeeb5e3456908dc2464e568e2a95aba9691a10a2526
Instruction ID: 33a9ba4a3158a26156c7197903751dd84b3c37405aa5ed066ffd2860557d1484
Opcode Fuzzy Hash: be0a667704750dc6602cabeeb5e3456908dc2464e568e2a95aba9691a10a2526
Instruction Fuzzy Hash: B77112726043029FD324EF24C88097AB7F5EF94758F40492DF89697252EB38EE45CB91

Function 00725A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00725A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00725A40
SetWindowTextW.USER32(?,?), ref: 00725A57
GetDlgItem.USER32(?,000003EA), ref: 00725A6C
SetWindowTextW.USER32(00000000,?), ref: 00725A72
GetDlgItem.USER32(?,000003E9), ref: 00725A82
SetWindowTextW.USER32(00000000,?), ref: 00725A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00725AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00725AC3
GetWindowRect.USER32(?,?), ref: 00725ACC
_wcslen.LIBCMT ref: 00725B33
SetWindowTextW.USER32(?,?), ref: 00725B6F
GetDesktopWindow.USER32 ref: 00725B75
GetWindowRect.USER32(00000000), ref: 00725B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00725BD3
GetClientRect.USER32(?,?), ref: 00725BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00725C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00725C2F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: fafe747b58cffacb3ac11e7cfd9649a76ee7fe9712a215ed3de340ee7c7684ac
Instruction ID: 7cb81ebbb1d97ec8fd808369d060f38542f344142bc93b2c611ff79be5720e4e
Opcode Fuzzy Hash: fafe747b58cffacb3ac11e7cfd9649a76ee7fe9712a215ed3de340ee7c7684ac
Instruction Fuzzy Hash: BD71BF71900B19EFDB21DFA8DE85BAEBBF5FF08705F104518E142A25A0D779E940CB10

Function 0073FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0073FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0073FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0073FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0073FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0073FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0073FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0073FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0073FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0073FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0073FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0073FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0073FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0073FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0073FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0073FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0073FECC
GetCursorInfo.USER32(?), ref: 0073FEDC
GetLastError.KERNEL32 ref: 0073FF1E

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 19610a10a32db3aab1e23056ff932c3e509814c3db77c2247f23ace861f62d6e
Instruction ID: b8efcb9528e45aa63df219d23399e149963c66d674dbecf753fcd6c3c2e46966
Opcode Fuzzy Hash: 19610a10a32db3aab1e23056ff932c3e509814c3db77c2247f23ace861f62d6e
Instruction Fuzzy Hash: 444133B0D0431A6ADB109FBA8C85D5EBFE8FF04754B50452AE51DE7281DB78D901CE91

Function 007230F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0072318D
_wcslen.LIBCMT ref: 007231F8

Strings

INSTANCE, xrefs: 00723453
CLASS, xrefs: 00723188, 007231A5
REGEXPCLASS, xrefs: 00723255, 00723266
CLASSNN, xrefs: 007231F3, 00723204
TEXT, xrefs: 0072347C
NAME, xrefs: 00723335, 00723346
[x, xrefs: 0072339A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[x
API String ID: 176396367-3202395760
Opcode ID: 19e57557a57ff0a7c793e7a34e8311aa29056d673ef92d8664714d7525907ddf
Instruction ID: d2bacf32337c5858b789ff2ad4c19c099ac2ee5177f516a898e50cac0c986eea
Opcode Fuzzy Hash: 19e57557a57ff0a7c793e7a34e8311aa29056d673ef92d8664714d7525907ddf
Instruction Fuzzy Hash: 8DE1E432A00626ABCB18EFB4D451BFDBBB1BF54710F54812AE456B7240DB3CAF858790

Function 006E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006E00C6

Part of subcall function 006E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0079070C,00000FA0,14785288,?,?,?,?,007023B3,000000FF), ref: 006E011C
Part of subcall function 006E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007023B3,000000FF), ref: 006E0127
Part of subcall function 006E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007023B3,000000FF), ref: 006E0138
Part of subcall function 006E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006E014E
Part of subcall function 006E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006E015C
Part of subcall function 006E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006E016A
Part of subcall function 006E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006E0195
Part of subcall function 006E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006E01A0

___scrt_fastfail.LIBCMT ref: 006E00E7

Part of subcall function 006E00A3: __onexit.LIBCMT ref: 006E00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 006E0122
SleepConditionVariableCS, xrefs: 006E0154
kernel32.dll, xrefs: 006E0133
WakeAllConditionVariable, xrefs: 006E0162
InitializeConditionVariable, xrefs: 006E0148

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: ae9afeecfa0be087adde619e5b8a614fe455470bfe34d2b2f2de53c2a1ed48d1
Instruction ID: 2275e82068ca7b1ef2556a9a7c5f70934f84210f3c440e094ec019aaec80f8e6
Opcode Fuzzy Hash: ae9afeecfa0be087adde619e5b8a614fe455470bfe34d2b2f2de53c2a1ed48d1
Instruction Fuzzy Hash: 7A21F9B2A467546FFB115BF5AC05BEA33A5DB04B62F10413AF801A6391DFFC9C408AD8

Function 007344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0075CC08), ref: 00734527
_wcslen.LIBCMT ref: 0073453B
_wcslen.LIBCMT ref: 00734599
_wcslen.LIBCMT ref: 007345F4
_wcslen.LIBCMT ref: 0073463F
_wcslen.LIBCMT ref: 007346A7

Part of subcall function 006DF9F2: _wcslen.LIBCMT ref: 006DF9FD

GetDriveTypeW.KERNEL32(?,00786BF0,00000061), ref: 00734743

Strings

cdrom, xrefs: 0073458F, 00734594
all, xrefs: 00734531, 00734536
unknown, xrefs: 00734708
network, xrefs: 0073469D, 007346A2
ramdisk, xrefs: 007346F1
fixed, xrefs: 00734635, 0073463A
removable, xrefs: 007345EA, 007345EF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3030566bddeb006527a62e8579fccae1ba855daa09765a0a04d6422b57407250
Instruction ID: 2a844125841cfb3fe642f9b312c15eb9853267af42c06a62e9965fccf34037e9
Opcode Fuzzy Hash: 3030566bddeb006527a62e8579fccae1ba855daa09765a0a04d6422b57407250
Instruction Fuzzy Hash: D5B121716083029FD718DF28C891A7AB7E5FFA5724F50491DF496C7292D738E844CBA2

Function 0075911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00759147

Part of subcall function 00757674: ClientToScreen.USER32(?,?), ref: 0075769A
Part of subcall function 00757674: GetWindowRect.USER32(?,?), ref: 00757710
Part of subcall function 00757674: PtInRect.USER32(?,?,00758B89), ref: 00757720

SendMessageW.USER32(?,000000B0,?,?), ref: 007591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00759225
SendMessageW.USER32(?,000000B0,?,?), ref: 0075923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00759255
SendMessageW.USER32(?,000000B1,?,?), ref: 00759277
DragFinish.SHELL32(?), ref: 0075927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00759371

Strings

@GUI_DROPID, xrefs: 0075929E
p#y, xrefs: 007592BB
@GUI_DRAGFILE, xrefs: 00759320
@GUI_DRAGID, xrefs: 007592E9

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#y
API String ID: 221274066-1502668229
Opcode ID: 5ee12f146f4969dd6eff54646d5a17f04f678b5d3f5864cb3315e8f4bbca70c8
Instruction ID: 13528bc073288c66a430544e23e0ac03678e91dc348c0723c29a80ed9a6ef367
Opcode Fuzzy Hash: 5ee12f146f4969dd6eff54646d5a17f04f678b5d3f5864cb3315e8f4bbca70c8
Instruction Fuzzy Hash: 12619E71108301AFC701EF60DC89EAFBBE9EF89350F40492EF595931A1DB749A09CB66

Function 00743FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0075CC08), ref: 007440BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007440CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0075CC08), ref: 007440F2
FreeLibrary.KERNEL32(00000000,?,0075CC08), ref: 0074413E
StringFromGUID2.OLE32(?,?,00000028,?,0075CC08), ref: 007441A8
SysFreeString.OLEAUT32(00000009), ref: 00744262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007442C8
SysFreeString.OLEAUT32(?), ref: 007442F2

Strings

kernel32.dll, xrefs: 007440B6
GetModuleHandleExW, xrefs: 007440C7

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 4f005a8c13b921fdc5405c195b5c55275323725836ac2bcbf5a150f7bc03dc9d
Instruction ID: 86c3cf69f24c4277910ef2f194b98b1da397bfc918afe284cdb4b38703c52775
Opcode Fuzzy Hash: 4f005a8c13b921fdc5405c195b5c55275323725836ac2bcbf5a150f7bc03dc9d
Instruction Fuzzy Hash: 55124A71A00209EFDB14CF94C888FAEBBB5FF45314F248098E905AB261D775ED42DBA0

Function 006C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00791990), ref: 00702F8D
GetMenuItemCount.USER32(00791990), ref: 0070303D
GetCursorPos.USER32(?), ref: 00703081
SetForegroundWindow.USER32(00000000), ref: 0070308A
TrackPopupMenuEx.USER32(00791990,00000000,?,00000000,00000000,00000000), ref: 0070309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007030A9

Strings

0, xrefs: 006C327D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: c3957e8ead03ad2c8096037955fa57ddaca7702ebd22d9b960f18d632ac22bbd
Instruction ID: 8d0ab92c3b5d85263619180938c6a7cf3addd944d42573c5af99f06e535ec314
Opcode Fuzzy Hash: c3957e8ead03ad2c8096037955fa57ddaca7702ebd22d9b960f18d632ac22bbd
Instruction Fuzzy Hash: 30710771640316FEEB219F64DC8DFAABFA9FF00364F204206F5156A2E1C7B9A951C750

Function 00756CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00756DEB

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00756E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00756E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00756E94
DestroyWindow.USER32(?), ref: 00756EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006C0000,00000000), ref: 00756EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00756EFD
GetDesktopWindow.USER32 ref: 00756F16
GetWindowRect.USER32(00000000), ref: 00756F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00756F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00756F4D

Part of subcall function 006D9944: GetWindowLongW.USER32(?,000000EB), ref: 006D9952

Strings

0, xrefs: 00756D98
tooltips_class32, xrefs: 00756E58, 00756EDD

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 26d188e269bf5b5d1cae9d57c8d12b291b904c552e1d701a248494ee9c8cab6a
Instruction ID: 2b69dede6f7fecc1e299d2da8a881fc1a73d6488c7f32183ab2ee61b120358ca
Opcode Fuzzy Hash: 26d188e269bf5b5d1cae9d57c8d12b291b904c552e1d701a248494ee9c8cab6a
Instruction Fuzzy Hash: BD716C70504341AFDB21CF18D844FAABBE9FB89305F84455DF989872A0C7B8E90ACB15

Function 0073C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0073C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0073C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0073C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0073C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0073C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0073C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0073C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0073C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0073C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0073C5F0
InternetCloseHandle.WININET(00000000), ref: 0073C5FB

Strings

, xrefs: 0073C575

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 16a4b124cbe1572b2e59274efdff40004a1fc16663aeb0d765a4ecd2aacbe45d
Instruction ID: 8f994d235b6bcd76c70eb515098befe9e0681db122f009e773746799368c74b3
Opcode Fuzzy Hash: 16a4b124cbe1572b2e59274efdff40004a1fc16663aeb0d765a4ecd2aacbe45d
Instruction Fuzzy Hash: CE516BB1500308BFEB229F60CD88AAB7BBCFF08745F108419F945A6612DB78E954DB60

Function 0075856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00758592
GetFileSize.KERNEL32(00000000,00000000), ref: 007585A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007585AD
CloseHandle.KERNEL32(00000000), ref: 007585BA
GlobalLock.KERNEL32(00000000), ref: 007585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007585D7
GlobalUnlock.KERNEL32(00000000), ref: 007585E0
CloseHandle.KERNEL32(00000000), ref: 007585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007585F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0075FC38,?), ref: 00758611
GlobalFree.KERNEL32(00000000), ref: 00758621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00758641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00758671
DeleteObject.GDI32(00000000), ref: 00758699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007586AF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 12c6c767b8cbda942dbfb452a43570dc2aec8ccf8250fe8b4492632e9362607f
Instruction ID: 34378130754c227fdbc0c1b21ec667973763f51e08a82269e1413a3ba66376ac
Opcode Fuzzy Hash: 12c6c767b8cbda942dbfb452a43570dc2aec8ccf8250fe8b4492632e9362607f
Instruction Fuzzy Hash: 0F41FA75600308AFDB119FA5DC48EAA7BB8FF89712F108058F905E7260DBB89945CB65

Function 007314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00731502
VariantCopy.OLEAUT32(?,?), ref: 0073150B
VariantClear.OLEAUT32(?), ref: 00731517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00731657
VariantInit.OLEAUT32(?), ref: 00731708
SysFreeString.OLEAUT32(?), ref: 0073178C
VariantClear.OLEAUT32(?), ref: 007317D8
VariantClear.OLEAUT32(?), ref: 007317E7
VariantInit.OLEAUT32(00000000), ref: 00731823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00731625
Default, xrefs: 007316AF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 6a296d2229cdb7f7213c3882ddd96ba1838dda3b1b2abd045fcb989eccea1699
Instruction ID: 23cce7cbd678631f46b67b7e6cfede0d5bf12bacaffaf1a7ab158f2669091e30
Opcode Fuzzy Hash: 6a296d2229cdb7f7213c3882ddd96ba1838dda3b1b2abd045fcb989eccea1699
Instruction Fuzzy Hash: AED11371A00205EBEB10DF65D885BBDB7B6FF44700F94845AF406AB282DB39EC51DB61

Function 0074B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 0074C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074C9F1
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA68
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0074B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0074B80A
RegCloseKey.ADVAPI32(?), ref: 0074B87E
RegCloseKey.ADVAPI32(?), ref: 0074B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0074B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0074B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0074B922
FreeLibrary.KERNEL32(00000000), ref: 0074B983
RegCloseKey.ADVAPI32(00000000), ref: 0074B994

Strings

advapi32.dll, xrefs: 0074B8ED
RegDeleteKeyExW, xrefs: 0074B8FE

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: dc6e385729b976f4b59a4b6d3b458b17d4bd3094ac13571d917060cd1d544190
Instruction ID: aa5304d255cc71c7283c3043a14983645ec786b8277fb1c52a9dc64c5d9e7ac6
Opcode Fuzzy Hash: dc6e385729b976f4b59a4b6d3b458b17d4bd3094ac13571d917060cd1d544190
Instruction Fuzzy Hash: 3CC16C30208241EFD715DF24C495F2ABBE5EF84318F14845CE49A8B2A2CB79EC46CB95

Function 0074255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007425E8
CreateCompatibleDC.GDI32(?), ref: 007425F4
SelectObject.GDI32(00000000,?), ref: 00742601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0074266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007426D0
SelectObject.GDI32(?,?), ref: 007426D8
DeleteObject.GDI32(?), ref: 007426E1
DeleteDC.GDI32(?), ref: 007426E8
ReleaseDC.USER32(00000000,?), ref: 007426F3

Strings

(, xrefs: 0074268D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 851913c78f256e10252befafbae57c59897c37920cd1f83c178ea89ded1333ab
Instruction ID: d7291145a8abe018f75564c9d930ef3e731cc5c49f33e695b0c5cf6192ff7cd7
Opcode Fuzzy Hash: 851913c78f256e10252befafbae57c59897c37920cd1f83c178ea89ded1333ab
Instruction Fuzzy Hash: 8E6112B5D00309EFCF05CFA8C884AAEBBB6FF48310F208529E956A7251E774A951CF54

Function 006FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006FDAA1

Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD659
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD66B
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD67D
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD68F
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6A1
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6B3
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6C5
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6D7
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6E9
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6FB
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD70D
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD71F
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD731

_free.LIBCMT ref: 006FDA96

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006FDAB8
_free.LIBCMT ref: 006FDACD
_free.LIBCMT ref: 006FDAD8
_free.LIBCMT ref: 006FDAFA
_free.LIBCMT ref: 006FDB0D
_free.LIBCMT ref: 006FDB1B
_free.LIBCMT ref: 006FDB26
_free.LIBCMT ref: 006FDB5E
_free.LIBCMT ref: 006FDB65
_free.LIBCMT ref: 006FDB82
_free.LIBCMT ref: 006FDB9A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3fcd9a158f062e6507eb63ffbadf145c4e22d4b9bfc3aefd8491558108cc7376
Instruction ID: 16c68b6ac9150a35a286c0eddac8d2caadc5a30fec744fb43b6a57c9144168ac
Opcode Fuzzy Hash: 3fcd9a158f062e6507eb63ffbadf145c4e22d4b9bfc3aefd8491558108cc7376
Instruction Fuzzy Hash: 1A315A7164420E9FEB62AE39E845BBA77EBFF00711F11452DE648D7291DA71FC408B28

Function 0072365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0072369C
_wcslen.LIBCMT ref: 007236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00723797
GetClassNameW.USER32(?,?,00000400), ref: 0072380C
GetDlgCtrlID.USER32(?), ref: 0072385D
GetWindowRect.USER32(?,?), ref: 00723882
GetParent.USER32(?), ref: 007238A0
ScreenToClient.USER32(00000000), ref: 007238A7
GetClassNameW.USER32(?,?,00000100), ref: 00723921
GetWindowTextW.USER32(?,?,00000400), ref: 0072395D

Strings

%s%u, xrefs: 00723734

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 98512ef907bb26bb23056e0f8131795e1243ac7cb048fc6d17a30fe12314f34a
Instruction ID: 486d0e528e3f5bab03c2a41cd53c417608339b68a3c0f1e3a960acaab0c83346
Opcode Fuzzy Hash: 98512ef907bb26bb23056e0f8131795e1243ac7cb048fc6d17a30fe12314f34a
Instruction Fuzzy Hash: D491D071200726AFD719DF24D885BEAB7E9FF44314F008629F999C6190DB3CEA45CBA1

Function 00724954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00724994
GetWindowTextW.USER32(?,?,00000400), ref: 007249DA
_wcslen.LIBCMT ref: 007249EB
CharUpperBuffW.USER32(?,00000000), ref: 007249F7
_wcsstr.LIBVCRUNTIME ref: 00724A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00724A64
GetWindowTextW.USER32(?,?,00000400), ref: 00724A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00724AE6
GetClassNameW.USER32(?,?,00000400), ref: 00724B20
GetWindowRect.USER32(?,?), ref: 00724B8B

Strings

ThumbnailClass, xrefs: 00724A6F, 00724AF1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: d7278c65ce50b77729f3e4bc6a1a56b5ad9798464ffa67b9547d345fb7f57b7e
Instruction ID: 2bbfed9e57659e9f3d6b368738ce40ab5a714328252488097d2590fb7cf7ae74
Opcode Fuzzy Hash: d7278c65ce50b77729f3e4bc6a1a56b5ad9798464ffa67b9547d345fb7f57b7e
Instruction Fuzzy Hash: 4E91ED720043169FDB05CF14E985FAA77E9FF84314F04846AFD859A096DB38EE45CBA1

Function 0072BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00791990,000000FF,00000000,00000030), ref: 0072BFAC
SetMenuItemInfoW.USER32(00791990,00000004,00000000,00000030), ref: 0072BFE1
Sleep.KERNEL32(000001F4), ref: 0072BFF3
GetMenuItemCount.USER32(?), ref: 0072C039
GetMenuItemID.USER32(?,00000000), ref: 0072C056
GetMenuItemID.USER32(?,-00000001), ref: 0072C082
GetMenuItemID.USER32(?,?), ref: 0072C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0072C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0072C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0072C145

Strings

0, xrefs: 0072BF3D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: da7ced02cad37b803f32361c0622f1f128c0c1e331503b38257bbc0cac4920e0
Instruction ID: 1d7f6baef2b3600ea05d845fc6b4161d09b031288e037fbd729cec4475b04bd2
Opcode Fuzzy Hash: da7ced02cad37b803f32361c0622f1f128c0c1e331503b38257bbc0cac4920e0
Instruction Fuzzy Hash: E361C4B090036AEFDF22CF64ED89AEE7BB8EF15344F104055E911A3291D779AD25CB60

Function 0074CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0074CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0074CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0074CD48

Part of subcall function 0074CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0074CCAA
Part of subcall function 0074CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0074CCBD
Part of subcall function 0074CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0074CCCF
Part of subcall function 0074CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0074CD05
Part of subcall function 0074CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0074CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0074CCF3

Strings

advapi32.dll, xrefs: 0074CCB8
RegDeleteKeyExW, xrefs: 0074CCC9

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 014c5bd1b6593eba317ebb78a1638a394d23f17ab26c0e1d0067360df82ab781
Instruction ID: ebf3b468d6d69670c8a31bb307f18ea7e5257a45764f43401dee0fc35b354b6f
Opcode Fuzzy Hash: 014c5bd1b6593eba317ebb78a1638a394d23f17ab26c0e1d0067360df82ab781
Instruction Fuzzy Hash: 0A31A1B1E42228BFD7228B50DC88EFFBB7CEF01750F004065B906E2150DB788A45DAB4

Function 00733D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00733D40
_wcslen.LIBCMT ref: 00733D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00733D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00733DBE
RemoveDirectoryW.KERNEL32(?), ref: 00733DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00733E55
CloseHandle.KERNEL32(00000000), ref: 00733E60
CloseHandle.KERNEL32(00000000), ref: 00733E6B

Strings

\, xrefs: 00733D77
:, xrefs: 00733D82
\??\%s, xrefs: 00733D5B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 513da619ce53a7d2ea82316826812da43b3dfea62137643d805f4130366d60ea
Instruction ID: 0e5baa9c33e6824a46f49b30e795c46a943331c6651dcef77a6fef6c22fd01b3
Opcode Fuzzy Hash: 513da619ce53a7d2ea82316826812da43b3dfea62137643d805f4130366d60ea
Instruction Fuzzy Hash: 3F319472A10349ABDB219BA0DC49FEF37BDEF88701F1041B5F609D6151EB7897848B68

Function 0072E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0072E6B4

Part of subcall function 006DE551: timeGetTime.WINMM(?,?,0072E6D4), ref: 006DE555

Sleep.KERNEL32(0000000A), ref: 0072E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0072E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0072E727
SetActiveWindow.USER32 ref: 0072E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0072E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0072E773
Sleep.KERNEL32(000000FA), ref: 0072E77E
IsWindow.USER32 ref: 0072E78A
EndDialog.USER32(00000000), ref: 0072E79B

Strings

BUTTON, xrefs: 0072E719

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 008008995d7e6a5600f22ccad0f07cf4c77ecce57f14382ddb525ece23eb28ea
Instruction ID: 0dc1c55bed84eda81b8ed3e02e58af9f7254546a3069e19728ad57d8e443aaaf
Opcode Fuzzy Hash: 008008995d7e6a5600f22ccad0f07cf4c77ecce57f14382ddb525ece23eb28ea
Instruction Fuzzy Hash: ED2184B0204315BFEB11AF60FC89B653B69F75474AB108426F50681AA2DBBD9C128A2C

Function 0072E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0072EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0072EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0072EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0072EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0072EAA7

Strings

status PlayMe mode, xrefs: 0072EA58
open , xrefs: 0072EA0C
play PlayMe, xrefs: 0072EAA2
play PlayMe wait, xrefs: 0072EA91
close PlayMe, xrefs: 0072EA6E, 0072EA9B
alias PlayMe, xrefs: 0072EA36

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: acd08b9716edf8d1781a342d8948a9dcdcce40350ee1f9d0a4debff48b9ecccf
Instruction ID: 7e3777757a924ccff02127ff6fe39106bcdeaca716ca31a15ed717117899ace1
Opcode Fuzzy Hash: acd08b9716edf8d1781a342d8948a9dcdcce40350ee1f9d0a4debff48b9ecccf
Instruction Fuzzy Hash: C6117CB1A9027979D720F7A1EC4AEFF6B7CEBD1B00F40442DB811A21D1EEB41A05C6B0

Function 00729F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0072A012
SetKeyboardState.USER32(?), ref: 0072A07D
GetAsyncKeyState.USER32(000000A0), ref: 0072A09D
GetKeyState.USER32(000000A0), ref: 0072A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0072A0E3
GetKeyState.USER32(000000A1), ref: 0072A0F4
GetAsyncKeyState.USER32(00000011), ref: 0072A120
GetKeyState.USER32(00000011), ref: 0072A12E
GetAsyncKeyState.USER32(00000012), ref: 0072A157
GetKeyState.USER32(00000012), ref: 0072A165
GetAsyncKeyState.USER32(0000005B), ref: 0072A18E
GetKeyState.USER32(0000005B), ref: 0072A19C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9f12776588beb1bc4e36a825a08c161c1bc6c310f908908d915d22b2aab5de27
Instruction ID: 91c9776b05904e5df7111987b2a28565833edaebc7f1179f0c45ee0785c029d9
Opcode Fuzzy Hash: 9f12776588beb1bc4e36a825a08c161c1bc6c310f908908d915d22b2aab5de27
Instruction Fuzzy Hash: B751FB209047A87AFB35DBB0A9147EABFF59F11340F088599D5C2571C2EA5C9B4CCB63

Function 00725CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00725CE2
GetWindowRect.USER32(00000000,?), ref: 00725CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00725D59
GetDlgItem.USER32(?,00000002), ref: 00725D69
GetWindowRect.USER32(00000000,?), ref: 00725D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00725DCF
GetDlgItem.USER32(?,000003E9), ref: 00725DDD
GetWindowRect.USER32(00000000,?), ref: 00725DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00725E31
GetDlgItem.USER32(?,000003EA), ref: 00725E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00725E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00725E67

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 69c6232a2b960a4a84cb8309baedbe4a4741417ffd945245631fba88f4b3ac33
Instruction ID: 43933bacad649784f25f0efe71c3770a199a8f5823548c9215aa22b07e7b7f49
Opcode Fuzzy Hash: 69c6232a2b960a4a84cb8309baedbe4a4741417ffd945245631fba88f4b3ac33
Instruction Fuzzy Hash: 9051FD71B00715AFDB19CF68DD89AAEBBB5FB48301F148229F915E6290D7749E04CB50

Function 006D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006D8BE8,?,00000000,?,?,?,?,006D8BBA,00000000,?), ref: 006D8FC5

DestroyWindow.USER32(?), ref: 006D8C81
KillTimer.USER32(00000000,?,?,?,?,006D8BBA,00000000,?), ref: 006D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00716973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006D8BBA,00000000,?), ref: 007169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006D8BBA,00000000,?), ref: 007169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006D8BBA,00000000), ref: 007169D4
DeleteObject.GDI32(00000000), ref: 007169E6

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 04051858b9bfd5ba9c9d8a56ba126ada1394cea015cc52a8500bda42bef0e936
Instruction ID: b0a53b9b3473d98eba6e7f96850492c3791562baa6266f0838b0a613684f002c
Opcode Fuzzy Hash: 04051858b9bfd5ba9c9d8a56ba126ada1394cea015cc52a8500bda42bef0e936
Instruction Fuzzy Hash: CF617D30911701DFDB269F18D948BA977B2FF40322F54851EE0429B6A0CB79B992DF98

Function 006D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006D9944: GetWindowLongW.USER32(?,000000EB), ref: 006D9952

GetSysColor.USER32(0000000F), ref: 006D9862

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: fc87a11e2d5f29920b81c36d47703d9b784ff1c3b04983252114587bb2a83675
Instruction ID: be9751663b66e0055426c56e5bf3ea936aac3139dc2e4a2c5c424fedf538e918
Opcode Fuzzy Hash: fc87a11e2d5f29920b81c36d47703d9b784ff1c3b04983252114587bb2a83675
Instruction Fuzzy Hash: 0541A4319047449FDB215F389C84BF93B66EB06732F148A16F9A28B3E1D7759D42EB20

Function 006F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.n, xrefs: 006F903A, 006F8FD0, 006F8FF2

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: .n
API String ID: 0-61608593
Opcode ID: 092ff45ee60c3d081a9c326ed6d95c7b39a81709edb3337105309a61d7e07e47
Instruction ID: f757d893ce50f8aeb1c5d7200d0d27c97af6cea5273b97ef7154332da30c38b9
Opcode Fuzzy Hash: 092ff45ee60c3d081a9c326ed6d95c7b39a81709edb3337105309a61d7e07e47
Instruction Fuzzy Hash: 0DC1D075A0434DAFCB119FA9D841BFDBBB2AF09310F04409DE614A7392CB359A42CB65

Function 007296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0070F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00729717
LoadStringW.USER32(00000000,?,0070F7F8,00000001), ref: 00729720

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0070F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00729742
LoadStringW.USER32(00000000,?,0070F7F8,00000001), ref: 00729745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00729866

Strings

Error: , xrefs: 0072981D
^ ERROR, xrefs: 007297FB
%s (%d) : ==> %s: %s %s, xrefs: 0072984A
Line %d (File "%s"):, xrefs: 0072978F
Line %d:, xrefs: 007297A0

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 7b022ba81fa16ce2d20451bccf2e530740a0bf0bf71ff263ee1f40b7f8383d6c
Instruction ID: e9306d300c988150ce9dd3409848ce46e94dddcdae3a9800169bfb9b53fb74d4
Opcode Fuzzy Hash: 7b022ba81fa16ce2d20451bccf2e530740a0bf0bf71ff263ee1f40b7f8383d6c
Instruction Fuzzy Hash: 4C414B72900269AADB44FBE0DD86EFE7379EF14300F14452DB60572192EA396F48CB69

Function 007206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00720804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0072082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00720837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0072083C

Strings

\CLSID, xrefs: 00720724
SOFTWARE\Classes\, xrefs: 0072070E
\IPC$, xrefs: 00720784

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: aba01545b8450d95b2c85bfd9ebe5254109adca25eb1ecdc6886d079cabaff92
Instruction ID: ef58265d5d42570d9f42255fca6a98ee15d68d34e1330ecc7e27b5fc30d43e19
Opcode Fuzzy Hash: aba01545b8450d95b2c85bfd9ebe5254109adca25eb1ecdc6886d079cabaff92
Instruction Fuzzy Hash: 4641F772C10229ABDF15EBA4DC95DFEB779FF04350B044129E905A32A1EB74AE04CBA4

Function 00743C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00743C5C
CoInitialize.OLE32(00000000), ref: 00743C8A
CoUninitialize.OLE32 ref: 00743C94
_wcslen.LIBCMT ref: 00743D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00743DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00743ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00743F0E
CoGetObject.OLE32(?,00000000,0075FB98,?), ref: 00743F2D
SetErrorMode.KERNEL32(00000000), ref: 00743F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00743FC4
VariantClear.OLEAUT32(?), ref: 00743FD8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8ef8f6f2cec0b45bedcf3ad4902ddbff86698332158af2427e0a22462c40c866
Instruction ID: 83536db70832d57ff1b07d144a490bb6ba8babe78adfbf17bcb36ee2ac2c34b4
Opcode Fuzzy Hash: 8ef8f6f2cec0b45bedcf3ad4902ddbff86698332158af2427e0a22462c40c866
Instruction Fuzzy Hash: 91C156716083019FD700DF68C884A6BBBE9FF89744F10491DF98A9B251DB75EE05CBA2

Function 00737A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00737AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00737B8F
SHGetDesktopFolder.SHELL32(?), ref: 00737BA3
CoCreateInstance.OLE32(0075FD08,00000000,00000001,00786E6C,?), ref: 00737BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00737C74
CoTaskMemFree.OLE32(?,?), ref: 00737CCC
SHBrowseForFolderW.SHELL32(?), ref: 00737D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00737D7A
CoTaskMemFree.OLE32(00000000), ref: 00737D81
CoTaskMemFree.OLE32(00000000), ref: 00737DD6
CoUninitialize.OLE32 ref: 00737DDC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 9b6833548caba346482bbc9f7e7e0b1406489d40fca5e54a4854d81387cdcb4c
Instruction ID: 96aa9bbd7747b80e436361ce91fa0fe5d7be4f7b72898f034e4a2a83269c9720
Opcode Fuzzy Hash: 9b6833548caba346482bbc9f7e7e0b1406489d40fca5e54a4854d81387cdcb4c
Instruction Fuzzy Hash: E6C11975A04209AFDB14DFA4C884DAEBBF9FF48304F148499E815DB262D734ED41CB94

Function 0075541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00755504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00755515
CharNextW.USER32(00000158), ref: 00755544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00755585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0075559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007555AC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2bb98bae0aac1a2283f189366928db7bc2fa806d51316a0129c8844b698037cc
Instruction ID: e892bd7743ee71715fe1ceb014d4766f782f9e595b70e4518750d35a4190789e
Opcode Fuzzy Hash: 2bb98bae0aac1a2283f189366928db7bc2fa806d51316a0129c8844b698037cc
Instruction Fuzzy Hash: 26618D30900649EFDF118F94CC94EFE7BB9EB09722F108145F925A6290D7BC9A89DB60

Function 0071FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0071FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0071FB08
VariantInit.OLEAUT32(?), ref: 0071FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0071FB3A
VariantCopy.OLEAUT32(?,?), ref: 0071FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0071FBA1
VariantClear.OLEAUT32(?), ref: 0071FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0071FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0071FBCC
VariantClear.OLEAUT32(?), ref: 0071FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0071FBE9

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2e6f92517d5cc4bf2ad4b89b5814eb5f3462fdd7a7792a3fd692bfa1339a07f9
Instruction ID: 446f6b8e065c8d4e3b3e76574afc46240d4eab8de3a9132483b982148daa630b
Opcode Fuzzy Hash: 2e6f92517d5cc4bf2ad4b89b5814eb5f3462fdd7a7792a3fd692bfa1339a07f9
Instruction Fuzzy Hash: BE418174A00319DFCB11DF68C858EEDBBB9FF48355F00C029E905A72A1C778A946CBA4

Function 00729C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00729CA1
GetAsyncKeyState.USER32(000000A0), ref: 00729D22
GetKeyState.USER32(000000A0), ref: 00729D3D
GetAsyncKeyState.USER32(000000A1), ref: 00729D57
GetKeyState.USER32(000000A1), ref: 00729D6C
GetAsyncKeyState.USER32(00000011), ref: 00729D84
GetKeyState.USER32(00000011), ref: 00729D96
GetAsyncKeyState.USER32(00000012), ref: 00729DAE
GetKeyState.USER32(00000012), ref: 00729DC0
GetAsyncKeyState.USER32(0000005B), ref: 00729DD8
GetKeyState.USER32(0000005B), ref: 00729DEA

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fbc96732cac40ac88f08fd185ff94877fe26cd7f45f3b2849f55c1eeb1ace729
Instruction ID: 5fb720665d681e64bb5671e7ab0f54f8692eae33ad865787005ffa4522d4aaa6
Opcode Fuzzy Hash: fbc96732cac40ac88f08fd185ff94877fe26cd7f45f3b2849f55c1eeb1ace729
Instruction Fuzzy Hash: 2141B534A047D96DFF719670A8043F5BEA0AF11344F0C805ADBC6566C2EBED99C8D7A2

Function 0074055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007405BC
inet_addr.WSOCK32(?), ref: 0074061C
gethostbyname.WSOCK32(?), ref: 00740628
IcmpCreateFile.IPHLPAPI ref: 00740636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007407B9
WSACleanup.WSOCK32 ref: 007407BF

Strings

Ping, xrefs: 00740676

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 055a3985627e440d3d5db1bbb1cde14ba2c63f539ea50aa4cf938d8a112fc525
Instruction ID: 1a60117fe9ca12f804a6bf8950f2c0b439468f9ce27b4a0bdac3a7713e9a78c8
Opcode Fuzzy Hash: 055a3985627e440d3d5db1bbb1cde14ba2c63f539ea50aa4cf938d8a112fc525
Instruction Fuzzy Hash: C4918B355043019FD721DF15C488F1ABBE1EF44318F1585A9E56A8B6A2C778EC41CFD2

Function 00748CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00748CF3

Part of subcall function 00728E54: _wcslen.LIBCMT ref: 00728E77

_wcslen.LIBCMT ref: 00748D4E
_wcslen.LIBCMT ref: 00748D9C
_wcslen.LIBCMT ref: 00748DDC
_wcslen.LIBCMT ref: 00748E6E

Strings

none, xrefs: 00748E65, 00748E6A
stdcall, xrefs: 00748DD6, 00748DDB
cdecl, xrefs: 00748D48, 00748D4D
winapi, xrefs: 00748D96, 00748D9B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b90716ad4bd0919ac18ec267a63ab2bb4ca12cde3eb55bfd416d6d34e2cc23b0
Instruction ID: 3eb357c3057a467bd4c3da8cb1135ee0eab81edb3d394271de27394a5e7e9bb4
Opcode Fuzzy Hash: b90716ad4bd0919ac18ec267a63ab2bb4ca12cde3eb55bfd416d6d34e2cc23b0
Instruction Fuzzy Hash: B451A131A0112A9BCB54EF68C9409BEB7A6BF64324B20422DE426E7285DF39DD40CBD1

Function 0074372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00743774
CoUninitialize.OLE32 ref: 0074377F
CoCreateInstance.OLE32(?,00000000,00000017,0075FB78,?), ref: 007437D9
IIDFromString.OLE32(?,?), ref: 0074384C
VariantInit.OLEAUT32(?), ref: 007438E4
VariantClear.OLEAUT32(?), ref: 00743936

Strings

Invalid parameter, xrefs: 00743865
NULL Pointer assignment, xrefs: 0074381E
Failed to create object, xrefs: 007437E4, 0074389A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: b26381e210487806d0af8b3a676a8516be0766d9cc5aa63fb0a0be84167bbb7a
Instruction ID: 46d90028007b63adaa79192bea235376d22f6bf54830a7b6d83bbafc6455f226
Opcode Fuzzy Hash: b26381e210487806d0af8b3a676a8516be0766d9cc5aa63fb0a0be84167bbb7a
Instruction Fuzzy Hash: D561A1B0608301AFD311DF54C889F6ABBE8EF49715F10490DF5999B291C778EE48CBA6

Function 00733388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007333CF

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007333F0

Strings

Incorrect parameters to object property !, xrefs: 007334AB
Error: , xrefs: 007334D1
"%s" (%d) : ==> %s:, xrefs: 00733522
"%s" (%d) : ==> %s:%s%s, xrefs: 00733504
^ ERROR , xrefs: 0073349E
Line %d (File "%s"):, xrefs: 00733443, 0073345C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: eb1f8c86819eb6e2f06e47191cbb0764717e9b45a16800950af6411936cfb9b4
Instruction ID: 3390cc24e5b400b738b6be34867647af4a1b698a55c5d3a27f51a4dc6e28e6fa
Opcode Fuzzy Hash: eb1f8c86819eb6e2f06e47191cbb0764717e9b45a16800950af6411936cfb9b4
Instruction Fuzzy Hash: 6351B071900259BADF15EBA0DD46EFEB779EF04340F20816AF50972152EB392F68CB64

Function 0072B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0072B5FC
_wcslen.LIBCMT ref: 0072B608
_wcslen.LIBCMT ref: 0072B64D
_wcslen.LIBCMT ref: 0072B68C
_wcslen.LIBCMT ref: 0072B6C7

Strings

APPEND, xrefs: 0072B6C1, 0072B6C6
KEYS, xrefs: 0072B647, 0072B64C
EXISTS, xrefs: 0072B686, 0072B68B
REMOVE, xrefs: 0072B602, 0072B607

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: bc5de892617ee792862aedbdcd9b7c97ecd2d773535a532d99f9f1f5b63818b0
Instruction ID: 5f01516eb33eec0340160e30bb1c4c6eacf14e70312758ad0161cf8843787b69
Opcode Fuzzy Hash: bc5de892617ee792862aedbdcd9b7c97ecd2d773535a532d99f9f1f5b63818b0
Instruction Fuzzy Hash: 4041B532A011379BCB206F7D99905BE77A5FFA0B54B24422AE462DB284E739CD81C790

Function 00735393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00735416
GetLastError.KERNEL32 ref: 00735420
SetErrorMode.KERNEL32(00000000,READY), ref: 007354A7

Strings

NOTREADY, xrefs: 0073544B
READY, xrefs: 00735460, 00735468
INVALID, xrefs: 00735459
UNKNOWN, xrefs: 00735444
READONLY, xrefs: 00735452

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e6c900bde03394abd6cbcfc96e50f5c5a7b1d610d39f007d34f2df47013bc936
Instruction ID: 964c405cf77af588a54d6ae3ea0282ccab7089d056863723faf1a32b26405c51
Opcode Fuzzy Hash: e6c900bde03394abd6cbcfc96e50f5c5a7b1d610d39f007d34f2df47013bc936
Instruction Fuzzy Hash: B231B275A006489FEB18DF68C484FAA7BB4FF04305F148069E805CB293DB79DD82CBA0

Function 00753C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00753C79
SetMenu.USER32(?,00000000), ref: 00753C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00753D10
IsMenu.USER32(?), ref: 00753D24
CreatePopupMenu.USER32 ref: 00753D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00753D5B
DrawMenuBar.USER32 ref: 00753D63

Strings

0, xrefs: 00753C54
F, xrefs: 00753D4E

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 90d7f2cea22a1306ea29eb179dba5e908b74513775063bfe4fe76c1cd806e879
Instruction ID: 87c8fd7662afc95f1ecac37209663a757eaca63011bcc12973ff895566079218
Opcode Fuzzy Hash: 90d7f2cea22a1306ea29eb179dba5e908b74513775063bfe4fe76c1cd806e879
Instruction Fuzzy Hash: B1417975A01309AFDB14CFA4D844BEA7BB5FF49392F144029ED0697360D7B8AA14CF94

Function 00721EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00721F64
GetDlgCtrlID.USER32 ref: 00721F6F
GetParent.USER32 ref: 00721F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00721F8E
GetDlgCtrlID.USER32(?), ref: 00721F97
GetParent.USER32(?), ref: 00721FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00721FAE

Strings

ComboBox, xrefs: 00721EEC
ListBox, xrefs: 00721F21

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 5665541e2f17b9724aa4ee95adfea95ff54cc483ca99343b63e869499178ec64
Instruction ID: 67299f7260ffd48b4eb091db15ae9d6e1c1fbedaf941339b0230becb442879eb
Opcode Fuzzy Hash: 5665541e2f17b9724aa4ee95adfea95ff54cc483ca99343b63e869499178ec64
Instruction Fuzzy Hash: F721B070900224BFCF05AFA0DC99EFEBBB9EF19310B004599B96167291CB7C5A14DB74

Function 00721FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00722043
GetDlgCtrlID.USER32 ref: 0072204E
GetParent.USER32 ref: 0072206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0072206D
GetDlgCtrlID.USER32(?), ref: 00722076
GetParent.USER32(?), ref: 0072208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0072208D

Strings

ComboBox, xrefs: 00721FCD
ListBox, xrefs: 00722002

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0489180e9927d090a6f24b791d02707e67a2bf72f0ce7ddf337d7d2b900512c5
Instruction ID: fefbe8329e57c8811f735b14bb273e21973ab26db97602e643c604582770ed4b
Opcode Fuzzy Hash: 0489180e9927d090a6f24b791d02707e67a2bf72f0ce7ddf337d7d2b900512c5
Instruction Fuzzy Hash: 4221C2B1900214BFCF15AFA0DC49EFEBBB8EF15300F104459B951A71A1CA7D9A15DB74

Function 00753A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00753A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00753AA0
GetWindowLongW.USER32(?,000000F0), ref: 00753AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00753AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00753B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00753BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00753BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00753BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00753BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00753C13

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 3e05efea440c980ddc24919578e6b69dd052bc7c41cc0acd91c2db125eff1aae
Instruction ID: ca0530b5c5df5aa48fc9d53444ad271e5f8cf0f5e3df86a490d6336e748ba5c1
Opcode Fuzzy Hash: 3e05efea440c980ddc24919578e6b69dd052bc7c41cc0acd91c2db125eff1aae
Instruction Fuzzy Hash: F7618E75900248AFDB11DF68CC81EEE77F8EB09710F104199FA15E72A1C7B8AE45DB60

Function 0072B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0072B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0072A1E1,?,00000001), ref: 0072B165
GetWindowThreadProcessId.USER32(00000000), ref: 0072B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0072A1E1,?,00000001), ref: 0072B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0072B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0072A1E1,?,00000001), ref: 0072B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0072A1E1,?,00000001), ref: 0072B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0072A1E1,?,00000001), ref: 0072B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0072A1E1,?,00000001), ref: 0072B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0072A1E1,?,00000001), ref: 0072B21D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 953007deb6ff9082958046fcab0e1a041ad3c8ed8fa7c33bed2723ac73a7bd72
Instruction ID: 448c2e89fa2683e90cd6055245375ba9a13c7046b63b614fdb2ef4d879439bff
Opcode Fuzzy Hash: 953007deb6ff9082958046fcab0e1a041ad3c8ed8fa7c33bed2723ac73a7bd72
Instruction Fuzzy Hash: A2318971510318EFDB119F68EC49BAE7BBAFB91312F108006FA01DA191D7BC9A41CF68

Function 006F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006F2C94

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006F2CA0
_free.LIBCMT ref: 006F2CAB
_free.LIBCMT ref: 006F2CB6
_free.LIBCMT ref: 006F2CC1
_free.LIBCMT ref: 006F2CCC
_free.LIBCMT ref: 006F2CD7
_free.LIBCMT ref: 006F2CE2
_free.LIBCMT ref: 006F2CED
_free.LIBCMT ref: 006F2CFB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2c5bf4f25e9b270fd45b2f47df2b56d86ea7cbbdb3ca524e591bac25772812ec
Instruction ID: 7789424ce5f1bfa7d7bbd3bb3e7ade1e3c9e100896547b90f936194057342c30
Opcode Fuzzy Hash: 2c5bf4f25e9b270fd45b2f47df2b56d86ea7cbbdb3ca524e591bac25772812ec
Instruction Fuzzy Hash: 1111D77614010EAFCB42EF55D852CED3BA6FF05750F4144A8FA485F222D671EE509F94

Function 00737DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00737FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00737FC1
GetFileAttributesW.KERNEL32(?), ref: 00737FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00738005
SetCurrentDirectoryW.KERNEL32(?), ref: 00738017
SetCurrentDirectoryW.KERNEL32(?), ref: 00738060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007380B0

Strings

*.*, xrefs: 00738066

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cf4dc5056a90ca70fefd9fcb9c8cecca59ab3b645f08f2abaf20b3aaf3788b3e
Instruction ID: 3cebe5f3a1598229e991603ba1358ac1716347da5ae1abae0b6a3fb7696e95f4
Opcode Fuzzy Hash: cf4dc5056a90ca70fefd9fcb9c8cecca59ab3b645f08f2abaf20b3aaf3788b3e
Instruction Fuzzy Hash: 3381B0B25483459BEB38EF14C484AAAB3E9BF88310F54485EF885C7252EB38DD45CB52

Function 006C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006C5C7A

Part of subcall function 006C5D0A: GetClientRect.USER32(?,?), ref: 006C5D30
Part of subcall function 006C5D0A: GetWindowRect.USER32(?,?), ref: 006C5D71
Part of subcall function 006C5D0A: ScreenToClient.USER32(?,?), ref: 006C5D99

GetDC.USER32 ref: 007046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00704708
SelectObject.GDI32(00000000,00000000), ref: 00704716
SelectObject.GDI32(00000000,00000000), ref: 0070472B
ReleaseDC.USER32(?,00000000), ref: 00704733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007047C4

Strings

U, xrefs: 00704693

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a01770fa08d0cd1b9aee1dfdb5d7492ef1c5d36dfd45359a8e4615d72566ada7
Instruction ID: e812c8de81ba72a3a7268be0456b4b1c67642efe494db421db3cd614ffac0d0a
Opcode Fuzzy Hash: a01770fa08d0cd1b9aee1dfdb5d7492ef1c5d36dfd45359a8e4615d72566ada7
Instruction Fuzzy Hash: 5171BD70400205DFCF218F64CD84AFA3BF2FF4A361F14426AEE565A2A6D3399881DF50

Function 0073359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007335E4

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

LoadStringW.USER32(00792390,?,00000FFF,?), ref: 0073360A

Strings

Error: , xrefs: 007336EF
^ ERROR, xrefs: 007336C9
"%s" (%d) : ==> %s:, xrefs: 00733742
"%s" (%d) : ==> %s:%s%s, xrefs: 00733724
Line %d (File "%s"):, xrefs: 0073366B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: e9d338bb8933289585f1162bb1f3e2d8e7f131806263f87b8bd4b06682a60c0e
Instruction ID: 8887b7ab1fa6cee545fb5b38d7befdceece9c16bde3c9383aa522ec8d082e3a8
Opcode Fuzzy Hash: e9d338bb8933289585f1162bb1f3e2d8e7f131806263f87b8bd4b06682a60c0e
Instruction Fuzzy Hash: 92517EB180025ABADF15EBA0DC46EFDBB39EF04300F144129F105721A2DB391B99DBA8

Function 0073C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0073C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0073C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0073C2CA
GetLastError.KERNEL32 ref: 0073C322
SetEvent.KERNEL32(?), ref: 0073C336
InternetCloseHandle.WININET(00000000), ref: 0073C341

Strings

, xrefs: 0073C2BB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6e65d67b258a90454a07c0351e2e5a2702a6bd874ec997c39be3cebb65e1206d
Instruction ID: feaaeb0665ebc490fcbbcacedf6642695a5a74d0207453b2bab59f4c96e8ea59
Opcode Fuzzy Hash: 6e65d67b258a90454a07c0351e2e5a2702a6bd874ec997c39be3cebb65e1206d
Instruction Fuzzy Hash: 58317FB1600308AFE7229F64CC88AAB7BFCEB49744F14851DF446E7202DB79DD059B66

Function 0072989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00703AAF,?,?,Bad directive syntax error,0075CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007298BC
LoadStringW.USER32(00000000,?,00703AAF,?), ref: 007298C3

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00729987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 007298F1
., xrefs: 0072996D
Error: , xrefs: 00729955
Line %d (File "%s"):, xrefs: 0072992D
Line %d:, xrefs: 00729912

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: bb23cc570e3e72345f9fad959cc63bdf08c07130e8ed7a5558b2440677d26718
Instruction ID: 2e7d4c854125f19ed8220f6b2d93f39d4a9bc9164b0c40d1cea1336e35b992b0
Opcode Fuzzy Hash: bb23cc570e3e72345f9fad959cc63bdf08c07130e8ed7a5558b2440677d26718
Instruction Fuzzy Hash: F2216F7194026ABBCF15AF90DC0AFED7776FF18300F04441EF519660A2DA75A658CB64

Function 0072209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0072214D

Strings

largeicons, xrefs: 007220E1
smallicons, xrefs: 00722115
list, xrefs: 0072212F
details, xrefs: 007220FB
SHELLDLL_DefView, xrefs: 007220CC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 08437b16b7f1acfd037f21f2b392cb3ff0c67acc75a018303f70e8916d9f9092
Instruction ID: fab0c917c1a0945d2d047159bb62efa1751de3f9ae90a4140a8048ecec895fbf
Opcode Fuzzy Hash: 08437b16b7f1acfd037f21f2b392cb3ff0c67acc75a018303f70e8916d9f9092
Instruction Fuzzy Hash: 73110ABA6C471AB9F6013625EC06DE63B9CDF14324B20012AF704A50D2FEADDC23561C

Function 006FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 006FCEB7
_free.LIBCMT ref: 006FCF22
_free.LIBCMT ref: 006FCF48
_free.LIBCMT ref: 006FCF71
_free.LIBCMT ref: 006FCFA9
_free.LIBCMT ref: 006FCFDA
_free.LIBCMT ref: 006FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 006FD09C
_free.LIBCMT ref: 006FD0B5

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: bfcf2d663969254338b9853a8a84e4b651c8730c11a5a7f91572b932f6b9aaff
Instruction ID: 0af8feb64038baa1f83371c2a3b1127f9ccc853b9389884b6da354eaad290571
Opcode Fuzzy Hash: bfcf2d663969254338b9853a8a84e4b651c8730c11a5a7f91572b932f6b9aaff
Instruction Fuzzy Hash: 74614A71A0530DAFDB21AFB49951ABABBA7EF05320F04416EFB4197381DB359D018794

Function 007550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00755186
ShowWindow.USER32(?,00000000), ref: 007551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007551D1

Part of subcall function 00756FBA: DeleteObject.GDI32(00000000), ref: 00756FE6

GetWindowLongW.USER32(?,000000F0), ref: 0075520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0075521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0075524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00755287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00755296

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 6fe891f3b39e9b6cc4a6dda17014a9d8cc8e26cf9acb08cce4c85c68b707cff3
Instruction ID: 2e61a5a86841ed91c54f3edb101e080502cb52aae6ad794a882ae1474c1e27cc
Opcode Fuzzy Hash: 6fe891f3b39e9b6cc4a6dda17014a9d8cc8e26cf9acb08cce4c85c68b707cff3
Instruction Fuzzy Hash: E1519270A50A08FEEF209F28CC59BD93BA5FB05322F148116FD15966E0C7FDA998DB41

Function 006D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00716890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00716901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0071691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0071692D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: bfa0e3811de4d425cb7b70eacdd5c7c68ed5ae7df95db42c0555e07b0a452a0c
Instruction ID: 68fe9961e79fd33feb8d0ecd833cca6ec1bdc4627c7a90e8732cc55bc0e87cb9
Opcode Fuzzy Hash: bfa0e3811de4d425cb7b70eacdd5c7c68ed5ae7df95db42c0555e07b0a452a0c
Instruction Fuzzy Hash: D4519B70A00309EFDB20CF28CC95FAA7BB6EB58761F10451AF912972E0DB74E991DB50

Function 0073C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0073C182
GetLastError.KERNEL32 ref: 0073C195
SetEvent.KERNEL32(?), ref: 0073C1A9

Part of subcall function 0073C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0073C272
Part of subcall function 0073C253: GetLastError.KERNEL32 ref: 0073C322
Part of subcall function 0073C253: SetEvent.KERNEL32(?), ref: 0073C336
Part of subcall function 0073C253: InternetCloseHandle.WININET(00000000), ref: 0073C341

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 1d3a63416c9f522ae9e9ce5219b79340b028e34b5fa1ebce691c5e8cfa79c481
Instruction ID: f0ad82853d1aa1d692c4facc6648e72709ffa14116d5b524ee0624e5f5dae4a5
Opcode Fuzzy Hash: 1d3a63416c9f522ae9e9ce5219b79340b028e34b5fa1ebce691c5e8cfa79c481
Instruction Fuzzy Hash: 17318F71200705EFEB229FA5DC44AA7BBF8FF18301F04841DF956A6612D779E814EB60

Function 007225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00723A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00723A57
Part of subcall function 00723A3D: GetCurrentThreadId.KERNEL32 ref: 00723A5E
Part of subcall function 00723A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007225B3), ref: 00723A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00722601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00722605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0072260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00722623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00722627

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: be2d28ac28da0cf5b8f2b3c4aa9e0884101590fa4515bdf3317a9b53a5a8a6a0
Instruction ID: 62b0a01cc68eb39f2a59dff3fdde9ebae202a7e383e6c3d462774f411afd61ba
Opcode Fuzzy Hash: be2d28ac28da0cf5b8f2b3c4aa9e0884101590fa4515bdf3317a9b53a5a8a6a0
Instruction Fuzzy Hash: 27012430380724BBFB1067689C8EF993F99DB4EB12F104012F318AE0D1C9FA68408A6D

Function 00721803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00721449,?,?,00000000), ref: 0072180C
HeapAlloc.KERNEL32(00000000,?,00721449,?,?,00000000), ref: 00721813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00721449,?,?,00000000), ref: 00721828
GetCurrentProcess.KERNEL32(?,00000000,?,00721449,?,?,00000000), ref: 00721830
DuplicateHandle.KERNEL32(00000000,?,00721449,?,?,00000000), ref: 00721833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00721449,?,?,00000000), ref: 00721843
GetCurrentProcess.KERNEL32(00721449,00000000,?,00721449,?,?,00000000), ref: 0072184B
DuplicateHandle.KERNEL32(00000000,?,00721449,?,?,00000000), ref: 0072184E
CreateThread.KERNEL32(00000000,00000000,00721874,00000000,00000000,00000000), ref: 00721868

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 83157cf0c9c31bca12d7d05d107128c5e06fb940bfed7cca8318d444e66bd68d
Instruction ID: 0bf57b4d7c13501531edc6a45e905651fe77f4f1f16680d34b06684e1caa046a
Opcode Fuzzy Hash: 83157cf0c9c31bca12d7d05d107128c5e06fb940bfed7cca8318d444e66bd68d
Instruction Fuzzy Hash: 2601BFB5640748BFE711AB75DC4EF9B3BACEB89B11F418411FA05DB191CAB49C40CB24

Function 006F3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006F3F0B
__alldvrm.LIBCMT ref: 006F410C
__alldvrm.LIBCMT ref: 006F412E

Strings

}}n, xrefs: 006F40CD
}}n, xrefs: 006F3E8A
}}n, xrefs: 006F3E96, 006F3EF1, 006F3F0A, 006F4090

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}n$}}n$}}n
API String ID: 1036877536-3958929660
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 91f22f552450684773c8a417768cfa652dbc28358744d69216cd8b6c4b76cb48
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 01A14971E0539A9FD721CF18C8917BFBBE6EF61350F14426DE6859B781CA388981C750

Function 0074A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0072D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0072D501
Part of subcall function 0072D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0072D50F
Part of subcall function 0072D4DC: CloseHandle.KERNELBASE(00000000), ref: 0072D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0074A16D
GetLastError.KERNEL32 ref: 0074A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0074A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0074A268
GetLastError.KERNEL32(00000000), ref: 0074A273
CloseHandle.KERNEL32(00000000), ref: 0074A2C4

Strings

SeDebugPrivilege, xrefs: 0074A18F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cb9d43c1abc930963654a797688695069dfe00cc0c5d7bc684d8ea0e86091c1e
Instruction ID: af37c49bfcc32cfd90950c35355fbcdf36432879926e896615a5ae5a893693de
Opcode Fuzzy Hash: cb9d43c1abc930963654a797688695069dfe00cc0c5d7bc684d8ea0e86091c1e
Instruction Fuzzy Hash: D4619F71244242AFD720DF14C494F2ABBE1BF94318F14849CE46A4B7A3C7BAED45CB96

Function 00753886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00753925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0075393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00753954
_wcslen.LIBCMT ref: 00753999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007539F4

Strings

SysListView32, xrefs: 007538F7

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 599b294fd7328ae0d2937e25647c6aae065a0c20bcefc6a7031c7baa29f73c46
Instruction ID: 4c6a742fa23a7db037c4805ef03568e563a07b5bfdd26f8a98a8fcc6f9f7ee19
Opcode Fuzzy Hash: 599b294fd7328ae0d2937e25647c6aae065a0c20bcefc6a7031c7baa29f73c46
Instruction Fuzzy Hash: DA41D671A00309ABEF219F64CC49FEA77A9EF08355F10052AF954E7191D7B9AE84CB90

Function 0072BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0072BCFD
IsMenu.USER32(00000000), ref: 0072BD1D
CreatePopupMenu.USER32 ref: 0072BD53
GetMenuItemCount.USER32(00D45820), ref: 0072BDA4
InsertMenuItemW.USER32(00D45820,?,00000001,00000030), ref: 0072BDCC

Strings

2, xrefs: 0072BD37
0, xrefs: 0072BCA8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: c747dc826a090fbc23030c720f7cb9cead3f2ee0baea92b043912818be882c15
Instruction ID: c822c04125bf1d093211414b2d6ad1da3d35788ac29125c60c6ead9ac69d3fe2
Opcode Fuzzy Hash: c747dc826a090fbc23030c720f7cb9cead3f2ee0baea92b043912818be882c15
Instruction Fuzzy Hash: CB51AD70B00325DBDB11CFA8E888BEEBBF4BF45314F248159E45197291E778A941CBA1

Function 006E2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 006E2D53
_ValidateLocalCookies.LIBCMT ref: 006E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 006E2E0C
_ValidateLocalCookies.LIBCMT ref: 006E2E61

Strings

&Hn, xrefs: 006E2DFE, 006E2E07, 006E2E18
csm, xrefs: 006E2DF6

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hn$csm
API String ID: 1170836740-3078436630
Opcode ID: 091e888b43480b6387c69b0fe4ff52666116931342c622e45559c5fab369d64a
Instruction ID: 8131a79500f06136c79bd80a2a8f629f30cb4468f93ff6994fe300b046ed53eb
Opcode Fuzzy Hash: 091e888b43480b6387c69b0fe4ff52666116931342c622e45559c5fab369d64a
Instruction Fuzzy Hash: ED41E334A0235A9BCF10DF6ACC55ADEBBABBF44314F148155E9146B392D771AA01CBD0

Function 0072C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0072C913

Strings

info, xrefs: 0072C8B4
question, xrefs: 0072C8CC
warning, xrefs: 0072C8FC
stop, xrefs: 0072C8E4
blank, xrefs: 0072C895

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ecd3959cbbba7da562f1c260411e6851e65779b0600f14c47144874c608721a1
Instruction ID: 4b9bd6e73aab1a9ff9d9f91b6f9e4d1b33a4dc8a51a29c48f96f310a0682ee17
Opcode Fuzzy Hash: ecd3959cbbba7da562f1c260411e6851e65779b0600f14c47144874c608721a1
Instruction Fuzzy Hash: 96113D31689356BEE7026B55BC83DAE279CDF35324B10403EF500A7182EBBC6E4053AC

Function 0072DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0072DE42
gethostname.WSOCK32(?,00000100), ref: 0072DE5C
gethostbyname.WSOCK32(?), ref: 0072DE69
inet_ntoa.WSOCK32(?), ref: 0072DEAB
_strcat.LIBCMT ref: 0072DEB9
WSACleanup.WSOCK32 ref: 0072DEDE

Strings

0.0.0.0, xrefs: 0072DE87

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 005fada1846b1e3613a7bc190aac2125df8793f9264ed2c49edf172faa40a953
Instruction ID: 79bd8474228694b67c974b9b596ca17b1287cf2e2a63068e9e93ede2c7ec7a11
Opcode Fuzzy Hash: 005fada1846b1e3613a7bc190aac2125df8793f9264ed2c49edf172faa40a953
Instruction Fuzzy Hash: B0112971D04324AFDB71BB70EC0AEEE77ADDF14711F010169F445A6092EFB99E818A64

Function 0072ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0072ED2A
_wcslen.LIBCMT ref: 0072ED3B
_wcslen.LIBCMT ref: 0072ED79
_wcslen.LIBCMT ref: 0072EDAF
_wcslen.LIBCMT ref: 0072EDDF
_wcslen.LIBCMT ref: 0072EDEF
_wcslen.LIBCMT ref: 0072EE2B
_wcslen.LIBCMT ref: 0072EE5A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 6aa8a617c232fba5979adf3136b1f7a3ca3ac2cf269de9e238d6a8a87fcd771b
Instruction ID: 38902725df2fc47c7e4c20fbeca0f315be10a1655b8e4e159dd08dbff45410e3
Opcode Fuzzy Hash: 6aa8a617c232fba5979adf3136b1f7a3ca3ac2cf269de9e238d6a8a87fcd771b
Instruction Fuzzy Hash: C041B365C1126879CB51EBB5C88A9CFB3A9AF05300F00846AF614F3122FB34D345C3EA

Function 006DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0071682C,00000004,00000000,00000000), ref: 006DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0071682C,00000004,00000000,00000000), ref: 0071F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0071682C,00000004,00000000,00000000), ref: 0071F454

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8ebe6df85c69e7c89a9fe51f22ee23ef6a5114a72ccc95f96946a5ae22ca0ad0
Instruction ID: ffd497af741cd04bc39255f366b1352c031c3109ee829dc9e5bf8e1571ab3548
Opcode Fuzzy Hash: 8ebe6df85c69e7c89a9fe51f22ee23ef6a5114a72ccc95f96946a5ae22ca0ad0
Instruction Fuzzy Hash: 7D412B30D047C0BEC7398B2D88A87EA7B93AB46310F14843EF4475A7A0C67AA8C1C791

Function 00752D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00752D1B
GetDC.USER32(00000000), ref: 00752D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00752D2E
ReleaseDC.USER32(00000000,00000000), ref: 00752D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00752D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00752D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00755A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00752DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00752DE1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 63d44969f6f8c789e573598ff97b1ae59a3ab57f137305c0b002968211588f8e
Instruction ID: 482a7cd44880d9706db2c56a2507f9c388a95917558eed0561aeb663651bd072
Opcode Fuzzy Hash: 63d44969f6f8c789e573598ff97b1ae59a3ab57f137305c0b002968211588f8e
Instruction Fuzzy Hash: E0317F72201314BFEB154F50CC8AFEB3BA9EF0A716F048055FE089A291C6B99C51CBA4

Function 00725622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00725637
_memcmp.LIBVCRUNTIME ref: 00725659
_memcmp.LIBVCRUNTIME ref: 00725671
_memcmp.LIBVCRUNTIME ref: 00725684
_memcmp.LIBVCRUNTIME ref: 0072569E
_memcmp.LIBVCRUNTIME ref: 007256B1
_memcmp.LIBVCRUNTIME ref: 007256C9
_memcmp.LIBVCRUNTIME ref: 007256E4

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 772d251140c33dc06bc97aa92ec754a0c3b1e47826005ea7c258280fe9fcf79e
Instruction ID: dadd3f5dba13decd07c672294a161bd4601c52be89adceb555ce58156ac965b0
Opcode Fuzzy Hash: 772d251140c33dc06bc97aa92ec754a0c3b1e47826005ea7c258280fe9fcf79e
Instruction Fuzzy Hash: C4214CB1641A6477D21495216D92FFB335DAF11781F440038FD045E641FB7CED1482B8

Function 00744FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0074502E, 00745383
Not an Object type, xrefs: 00745007

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ace4ea8aaaf90f4d3ed6902c9b1f97dd685f7c2112cbd7577c201d6153a6df74
Instruction ID: 24f956d473c5fa523373b64cf5110b0ec4d4035726d38ef7a791165543ddb1a9
Opcode Fuzzy Hash: ace4ea8aaaf90f4d3ed6902c9b1f97dd685f7c2112cbd7577c201d6153a6df74
Instruction Fuzzy Hash: 61D1B475A0070AAFDF10CFA8C885FAEB7B5BF48344F148069E915AB292E774DD45CB90

Function 00701522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 007015CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00701651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007016E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007016FB

Part of subcall function 006F3820: RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00701777
__freea.LIBCMT ref: 007017A2
__freea.LIBCMT ref: 007017AE

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 390d65bdc74d1de6063897df45cf5ecb3d48c4073782f3f4f7fdeede0221fd61
Instruction ID: 19f1c01331e5bc98b2a595c19f437967f3cef9d610379e5b9b5ece62988f8407
Opcode Fuzzy Hash: 390d65bdc74d1de6063897df45cf5ecb3d48c4073782f3f4f7fdeede0221fd61
Instruction Fuzzy Hash: B7919172E00216DEDB218EB4CC85AEE7BF5AF49750F984769E901EB1C1DB29DD40CB60

Function 00744523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00744648
VariantInit.OLEAUT32(?), ref: 00744749
VariantClear.OLEAUT32(?), ref: 00744753
VariantClear.OLEAUT32(?), ref: 007447B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007445D8, 00744706, 007447BE
Incorrect Object type in FOR..IN loop, xrefs: 0074472C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 592704bd016975b7dc94e8f23365b1af9de82d087a5b9231d1641f1230b7777b
Instruction ID: b32ca80575b9a20592fa000b780851bc576cff1e63cef22ec8b3d050ad67fa8a
Opcode Fuzzy Hash: 592704bd016975b7dc94e8f23365b1af9de82d087a5b9231d1641f1230b7777b
Instruction Fuzzy Hash: D0919F71A00219AFDF25CFA4CC88FAEBBB8EF46714F108559F515AB280D7789941DFA0

Function 00731187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0073125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00731284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0073135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00731430

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 31e392c5896a2a6d6559ebbeafdda4f762c5076412405393ed3dad70b6e65e94
Instruction ID: d0752a1997060aa3c4d28d349ee993e032dcfe67b18cfa6ca1e0608cc4965726
Opcode Fuzzy Hash: 31e392c5896a2a6d6559ebbeafdda4f762c5076412405393ed3dad70b6e65e94
Instruction Fuzzy Hash: BA91D272A003199FEB01DF94C894BFEB7B5FF44325F508029E911EB292D778A941CB94

Function 006D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d8eaf60e2588c5c71d5383fcbe8c613c40776f6b60d4553b2ec8241939a27d86
Instruction ID: 2473177928009141ca74c465af80621592ad5c2aebe4ce85f441e69f13fb2ec5
Opcode Fuzzy Hash: d8eaf60e2588c5c71d5383fcbe8c613c40776f6b60d4553b2ec8241939a27d86
Instruction Fuzzy Hash: 33911771D00219AFCB15CFA9CC84AEEBBB9FF49320F14855AE515B7291D378A942CB60

Function 00743947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0074396B
CharUpperBuffW.USER32(?,?), ref: 00743A7A
_wcslen.LIBCMT ref: 00743A8A
VariantClear.OLEAUT32(?), ref: 00743C1F

Part of subcall function 00730CDF: VariantInit.OLEAUT32(00000000), ref: 00730D1F
Part of subcall function 00730CDF: VariantCopy.OLEAUT32(?,?), ref: 00730D28
Part of subcall function 00730CDF: VariantClear.OLEAUT32(?), ref: 00730D34

Strings

AUTOIT.ERROR, xrefs: 00743A80, 00743A85
Incorrect Parameter format, xrefs: 007439A6, 00743BA1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: ba331bea37178ce33b377fbbb365d6396c65ccb128039edf7fb6a4ffef74c749
Instruction ID: edee5d80f149e87f8295a2398a5b0f32a27e32931e00f6f154579c7f4ab4f560
Opcode Fuzzy Hash: ba331bea37178ce33b377fbbb365d6396c65ccb128039edf7fb6a4ffef74c749
Instruction Fuzzy Hash: E99168746083059FCB04EF24C485A6AB7E5FF88314F14892EF89A9B351DB34EE05CB96

Function 00744BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0072000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?,?,0072035E), ref: 0072002B
Part of subcall function 0072000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720046
Part of subcall function 0072000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720054
Part of subcall function 0072000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?), ref: 00720064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00744C51
_wcslen.LIBCMT ref: 00744D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00744DCF
CoTaskMemFree.OLE32(?), ref: 00744DDA

Strings

NULL Pointer assignment, xrefs: 00744E23, 00744E52

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 28c08349afab51795f353290ca66ea25798787d03911e557d294a16afe51548b
Instruction ID: 92c2f44b6cd89789fa708024e6ff01c6aae2a536bafe82f446930ce5f1742316
Opcode Fuzzy Hash: 28c08349afab51795f353290ca66ea25798787d03911e557d294a16afe51548b
Instruction Fuzzy Hash: D8912471D0022DAFDF14DFA4C891EEEB7B9FF08314F10856AE915A7241EB749A449FA0

Function 007520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00752183
GetMenuItemCount.USER32(00000000), ref: 007521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007521DD
_wcslen.LIBCMT ref: 00752213
GetMenuItemID.USER32(?,?), ref: 0075224D
GetSubMenu.USER32(?,?), ref: 0075225B

Part of subcall function 00723A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00723A57
Part of subcall function 00723A3D: GetCurrentThreadId.KERNEL32 ref: 00723A5E
Part of subcall function 00723A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007225B3), ref: 00723A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007522E3

Part of subcall function 0072E97B: Sleep.KERNEL32 ref: 0072E9F3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c7b686a4c1ba0e49c7bf763e409dea27abfe494d6ae08764ec029fed7307aeab
Instruction ID: 02255b37d8d0e74415be721444195a06229cbc60bf5ca9e95e82b4e9659c7be8
Opcode Fuzzy Hash: c7b686a4c1ba0e49c7bf763e409dea27abfe494d6ae08764ec029fed7307aeab
Instruction Fuzzy Hash: C9719035A00205AFCB10DF64C845AEEB7F2FF49321F158459E816EB352DB78EE428B90

Function 00757E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00D454D8), ref: 00757F37
IsWindowEnabled.USER32(00D454D8), ref: 00757F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0075801E
SendMessageW.USER32(00D454D8,000000B0,?,?), ref: 00758051
IsDlgButtonChecked.USER32(?,?), ref: 00758089
GetWindowLongW.USER32(00D454D8,000000EC), ref: 007580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007580C3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 897d9235e7b7ba665656f4c29d0f8e4a2dadafafcddac63f032be6235d607504
Instruction ID: 9e0b51cdb6577edcd99a38439efe97c8ff03b9c77cba9947b94db393c1febb36
Opcode Fuzzy Hash: 897d9235e7b7ba665656f4c29d0f8e4a2dadafafcddac63f032be6235d607504
Instruction Fuzzy Hash: 8471C134608204AFEF25DF54DC84FEA7BB5EF09302F144459ED45972A1CBB9AD4ACB11

Function 0072AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0072AEF9
GetKeyboardState.USER32(?), ref: 0072AF0E
SetKeyboardState.USER32(?), ref: 0072AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0072AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0072AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0072AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0072B020

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b7f3592154fb2e6cccb01335ae7bae2edd687551ed7222e2ba91fcfce000b489
Instruction ID: c50f9a3f450634a2a68576a33c2c8e91910ec70ce2dd9a9c92b65131c8630067
Opcode Fuzzy Hash: b7f3592154fb2e6cccb01335ae7bae2edd687551ed7222e2ba91fcfce000b489
Instruction Fuzzy Hash: 3551C1A0A047E57EFB3742349949BBABFE96B06304F088489E1E9558C2D3DCEDC4D751

Function 0072ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0072AD19
GetKeyboardState.USER32(?), ref: 0072AD2E
SetKeyboardState.USER32(?), ref: 0072AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0072ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0072ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0072AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0072AE38

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 164fb574de5b98b7438238a6150b541707d63629d066e0e882f96d7b7f84e30d
Instruction ID: 3f05cd69ce2e1931ab0c80399d3589f4af7040bb4e45c4f0ecb815f7987f57cb
Opcode Fuzzy Hash: 164fb574de5b98b7438238a6150b541707d63629d066e0e882f96d7b7f84e30d
Instruction Fuzzy Hash: 1251E6A1A047E57EFB3383349C56B7ABED8AB45300F088488E1D5568C3D29CED85D752

Function 006F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00703CD6,?,?,?,?,?,?,?,?,006F5BA3,?,?,00703CD6,?,?), ref: 006F5470
__fassign.LIBCMT ref: 006F54EB
__fassign.LIBCMT ref: 006F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00703CD6,00000005,00000000,00000000), ref: 006F552C
WriteFile.KERNEL32(?,00703CD6,00000000,006F5BA3,00000000,?,?,?,?,?,?,?,?,?,006F5BA3,?), ref: 006F554B
WriteFile.KERNEL32(?,?,00000001,006F5BA3,00000000,?,?,?,?,?,?,?,?,?,006F5BA3,?), ref: 006F5584

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 399bbfa583a46bfe97a10ddd62abb8fafe7567efa0f4294d90afe0aac1bed47e
Instruction ID: 068e2f9a7ae3a2cfaae9f9e3e69225ab542c37bcb6221e5e251160a8cb51fdba
Opcode Fuzzy Hash: 399bbfa583a46bfe97a10ddd62abb8fafe7567efa0f4294d90afe0aac1bed47e
Instruction Fuzzy Hash: B151C0B1A0074D9FDB11CFA8D845AEEBBFAEF08300F14415AE656E7291E7709E41CB64

Function 007410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0074304E: inet_addr.WSOCK32(?), ref: 0074307A
Part of subcall function 0074304E: _wcslen.LIBCMT ref: 0074309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00741112
WSAGetLastError.WSOCK32 ref: 00741121
WSAGetLastError.WSOCK32 ref: 007411C9
closesocket.WSOCK32(00000000), ref: 007411F9

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4c20bc5932f70206878cc7a65b10512b97f4c6fcfe6f865e53395d100b27db92
Instruction ID: bb34e2ce3af49cab44a4d893192c44295467319a7ecc92d789d87e8a6d491eca
Opcode Fuzzy Hash: 4c20bc5932f70206878cc7a65b10512b97f4c6fcfe6f865e53395d100b27db92
Instruction Fuzzy Hash: 56410531600208AFDB10EF24C884BA9BBEAEF45324F54805DFD199B291D778ED81CBE5

Function 0072CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0072DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0072CF22,?), ref: 0072DDFD

Part of subcall function 0072DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0072CF22,?), ref: 0072DE16

lstrcmpiW.KERNEL32(?,?), ref: 0072CF45
MoveFileW.KERNEL32(?,?), ref: 0072CF7F
_wcslen.LIBCMT ref: 0072D005
_wcslen.LIBCMT ref: 0072D01B
SHFileOperationW.SHELL32(?), ref: 0072D061

Strings

\*.*, xrefs: 0072CFF3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 654cca5c340507bc0217350a0edf4ca44d3b9ec44207643d92f24b8bf21f40b4
Instruction ID: 4a9eb231884fed9301bf8cd7c468b931f518e157b5456f74183405a2d788160e
Opcode Fuzzy Hash: 654cca5c340507bc0217350a0edf4ca44d3b9ec44207643d92f24b8bf21f40b4
Instruction Fuzzy Hash: 024158729452289FDF13EBA4DA85EDD77B9AF18340F1000EAE545EB141EA38AB44CB54

Function 00752DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00752E1C
GetWindowLongW.USER32(?,000000F0), ref: 00752E4F
GetWindowLongW.USER32(?,000000F0), ref: 00752E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00752EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00752EE0
GetWindowLongW.USER32(?,000000F0), ref: 00752EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00752F0B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: af2b82f9201aa77abab94f0d29a11082762ebb3c6ce51adcdd3c40e4e60e183b
Instruction ID: e3b1a92f38d72711da357527199c18c77aa80136364c33deb343cb6432256e66
Opcode Fuzzy Hash: af2b82f9201aa77abab94f0d29a11082762ebb3c6ce51adcdd3c40e4e60e183b
Instruction Fuzzy Hash: 1C311A306042819FDB22CF58DC89FA537E0EB4A722F1541A5F9008F2B2C7B9B856DB44

Function 00727726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00727769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0072778F
SysAllocString.OLEAUT32(00000000), ref: 00727792
SysAllocString.OLEAUT32(?), ref: 007277B0
SysFreeString.OLEAUT32(?), ref: 007277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007277DE
SysAllocString.OLEAUT32(?), ref: 007277EC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 77e0abb09f3c3e5154c07f2800d94998d53a488b8ad80604564d7d8b5c7fb272
Instruction ID: b9d31085fbe3437f9d0493445a13fe29199b7aff6725f8c99c1ce77862d498a6
Opcode Fuzzy Hash: 77e0abb09f3c3e5154c07f2800d94998d53a488b8ad80604564d7d8b5c7fb272
Instruction Fuzzy Hash: DE21B076604329AFDB14DFA8DD88DFB77ACEB093647008025FA05DB250D6B8DC41C764

Function 007277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00727842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00727868
SysAllocString.OLEAUT32(00000000), ref: 0072786B
SysAllocString.OLEAUT32 ref: 0072788C
SysFreeString.OLEAUT32 ref: 00727895
StringFromGUID2.OLE32(?,?,00000028), ref: 007278AF
SysAllocString.OLEAUT32(?), ref: 007278BD

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b65de34520caad0cbe47c3ccd79198aac2ceedadf479475b8255f7952486cc2b
Instruction ID: 69ac55ebd74fc59bf9ffe1381f4b61f23ff66c76f00129230af809026e4018fa
Opcode Fuzzy Hash: b65de34520caad0cbe47c3ccd79198aac2ceedadf479475b8255f7952486cc2b
Instruction Fuzzy Hash: FF21A471604324BFDB149FA9DC88DAA77ECEB083607108125F915CB2A1D678DC41CB68

Function 007304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0073052E

Strings

nul, xrefs: 00730567

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6ee12d927b334c7f5f20858a06e535fb69c291f061751252186cf29aee6b542c
Instruction ID: d933aac48a004e1b5afafcc9c534b81f4b44bed9a31c4ef3d338315a0bcc913c
Opcode Fuzzy Hash: 6ee12d927b334c7f5f20858a06e535fb69c291f061751252186cf29aee6b542c
Instruction Fuzzy Hash: 12216D75500305AFEB209F29DC58F9A77A4BF45724F204A19F8A1D62E1D7B49960CFA0

Function 007305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00730601

Strings

nul, xrefs: 00730639

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4fd812f675a4eb89ee06f9dd7b7788c278128054e29bcd0202a1ef17e8d7fccd
Instruction ID: 1227f61d3e9433471bbd459e7c65782e632d794505f65f85149a47c50d8bdc1e
Opcode Fuzzy Hash: 4fd812f675a4eb89ee06f9dd7b7788c278128054e29bcd0202a1ef17e8d7fccd
Instruction Fuzzy Hash: 3F21B275500305DFEB209F69CC19A9A77F8BF85B20F204A19F8A1E72E5D7B49860CB94

Function 007540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006C604C
Part of subcall function 006C600E: GetStockObject.GDI32(00000011), ref: 006C6060
Part of subcall function 006C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00754112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0075411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0075412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00754139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00754145

Strings

Msctls_Progress32, xrefs: 007540E3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 35f97539ec11ff43838e14ab95287793b3066a3fb574d2ecc05ae21ffbebfd30
Instruction ID: e880e4ac357a0750ae9c7db79ab1bac6c5a99f193fea5625817f68a30a1a958c
Opcode Fuzzy Hash: 35f97539ec11ff43838e14ab95287793b3066a3fb574d2ecc05ae21ffbebfd30
Instruction Fuzzy Hash: 4F11B2B214021DBEEF119F64CC85EE77F9DEF08798F104111BA18A2090C6B6DC62DBA4

Function 006FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006FD7A3: _free.LIBCMT ref: 006FD7CC

_free.LIBCMT ref: 006FD82D

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006FD838
_free.LIBCMT ref: 006FD843
_free.LIBCMT ref: 006FD897
_free.LIBCMT ref: 006FD8A2
_free.LIBCMT ref: 006FD8AD
_free.LIBCMT ref: 006FD8B8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 747e1961cfd0b67d47ed020b073260e3d7e34d524eb31d6e75a3d3914ffdceb1
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: AC115171580B0DAAD5A1BFB1CC47FEB7BDF6F00700F40082DB399AA0A2DA65F5054A54

Function 0072DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0072DA74
LoadStringW.USER32(00000000), ref: 0072DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0072DA91
LoadStringW.USER32(00000000), ref: 0072DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0072DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0072DAB9

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 794d638726fa2d39e8caa4b1842f11c0a8eb9e3605000eaf27698c7e5106ad0e
Instruction ID: 7e92732373fe926209597015193899a1e6f1fe7c0f1162e0a898dead63995e66
Opcode Fuzzy Hash: 794d638726fa2d39e8caa4b1842f11c0a8eb9e3605000eaf27698c7e5106ad0e
Instruction Fuzzy Hash: 2B0136F65003187FE711EBA49D89FEB776CE708706F4084A5B746E2041EAB89E848F74

Function 0073096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D3E478,00D3E478), ref: 0073097B
EnterCriticalSection.KERNEL32(00D3E458,00000000), ref: 0073098D
TerminateThread.KERNEL32(?,000001F6), ref: 0073099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007309A9
CloseHandle.KERNEL32(?), ref: 007309B8
InterlockedExchange.KERNEL32(00D3E478,000001F6), ref: 007309C8
LeaveCriticalSection.KERNEL32(00D3E458), ref: 007309CF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 15299fb7b3c4cb36ceaaf1791fc3ad8fe2ec23667343f6ac538c9e862e1a6a13
Instruction ID: 7fa513aee151264fe26313b3131e8a0511f4b6d4302cb3966c209b6e1908b526
Opcode Fuzzy Hash: 15299fb7b3c4cb36ceaaf1791fc3ad8fe2ec23667343f6ac538c9e862e1a6a13
Instruction Fuzzy Hash: 36F01D32442B02AFE7425B94EE8DBDA7A25FF01702F405015F102508A1CBB8A465CF94

Function 006C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006C5D30
GetWindowRect.USER32(?,?), ref: 006C5D71
ScreenToClient.USER32(?,?), ref: 006C5D99
GetClientRect.USER32(?,?), ref: 006C5ED7
GetWindowRect.USER32(?,?), ref: 006C5EF8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 5f588f383c188bb22cec7c16b614614abefa76f41b845aac0ae965ad31e118f9
Instruction ID: 103d9c74933b92a07c2a36ca23a0453461fea99753b3aa6f0b874e5626b56dac
Opcode Fuzzy Hash: 5f588f383c188bb22cec7c16b614614abefa76f41b845aac0ae965ad31e118f9
Instruction Fuzzy Hash: 04B16C74A0074ADBDB14CFA8C840BFAB7F1FF58310F14851AE9AAD7290D734AA91DB54

Function 006F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F00D6
__allrem.LIBCMT ref: 006F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F010B
__allrem.LIBCMT ref: 006F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F0140

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 0f0c0729a0c6d6715afd1fb9e555269d7ac5a804f451f2297d449cc09ffc1478
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: A281E672601B0A9BE7209F69CC41BBA73EAAF41724F24463EF651D6782EB70D9008B54

Function 00741D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00743149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00743195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00741DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00741DE1
WSAGetLastError.WSOCK32 ref: 00741DF2
inet_ntoa.WSOCK32(?), ref: 00741E8C
htons.WSOCK32(?), ref: 00741EDB
_strlen.LIBCMT ref: 00741F35

Part of subcall function 007239E8: _strlen.LIBCMT ref: 007239F2

Part of subcall function 006C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,006DCF58,?,?,?), ref: 006C6DBA
Part of subcall function 006C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,006DCF58,?,?,?), ref: 006C6DED

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 91db377986e467e8c157af4e0bd530face523d2a24b250f07fe55467feea474a
Instruction ID: ffcc9d53c54fa92373c1475f265cffe83c9df854f000b463e518c4f40a3200de
Opcode Fuzzy Hash: 91db377986e467e8c157af4e0bd530face523d2a24b250f07fe55467feea474a
Instruction Fuzzy Hash: 2FA1C031604340AFD324EF20C895F2A7BE6EF84318F94894CF4565B2A2DB75ED86CB95

Function 006F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006E82D9,006E82D9,?,?,?,006F644F,00000001,00000001,8BE85006), ref: 006F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006F644F,00000001,00000001,8BE85006,?,?,?), ref: 006F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006F63D8
__freea.LIBCMT ref: 006F63E5

Part of subcall function 006F3820: RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

__freea.LIBCMT ref: 006F63EE
__freea.LIBCMT ref: 006F6413

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d040b51394cd1088930b8b538835e54a2ab42c0abd869348097d587f19c3b89f
Instruction ID: 74d83be1ab9c0dda26885b2dab1c0465cbd8295914e91ec88224ae08d88d9408
Opcode Fuzzy Hash: d040b51394cd1088930b8b538835e54a2ab42c0abd869348097d587f19c3b89f
Instruction Fuzzy Hash: A851DE73A0021AABEB268F64CC81EFF77ABEB55750F154229FA05D6240EB34DD45C6A0

Function 0074BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 0074C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074C9F1
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA68
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0074BD25
RegCloseKey.ADVAPI32(00000000), ref: 0074BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0074BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0074BDF3
RegCloseKey.ADVAPI32(?), ref: 0074BDFF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 5f578314844cd4be68412c1a0bcc125dcf68c54b8bcd20e3248651affecc2956
Instruction ID: 2ad4d3d493455e900f8bdfba7dd1477dddfcf22279ae69317312dc25a2751de2
Opcode Fuzzy Hash: 5f578314844cd4be68412c1a0bcc125dcf68c54b8bcd20e3248651affecc2956
Instruction Fuzzy Hash: BE819C30608241EFD754DF24C885E6ABBE5FF84308F14899DF4598B2A2DB36ED45CB92

Function 0071F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0071F7B9
SysAllocString.OLEAUT32(00000001), ref: 0071F860
VariantCopy.OLEAUT32(0071FA64,00000000), ref: 0071F889
VariantClear.OLEAUT32(0071FA64), ref: 0071F8AD
VariantCopy.OLEAUT32(0071FA64,00000000), ref: 0071F8B1
VariantClear.OLEAUT32(?), ref: 0071F8BB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 6174de42e4733b9a2a16faa15ab719a467646af2d7986a3a5acb96c27234cc0f
Instruction ID: 74e1151b51a5505a3b16917ef3a108669e028a776c859e82c61777b3ef25748b
Opcode Fuzzy Hash: 6174de42e4733b9a2a16faa15ab719a467646af2d7986a3a5acb96c27234cc0f
Instruction Fuzzy Hash: 8E51B531501310FADF10AB69D895BB9B3A5EF45710F24946BE806DF2D1DB789C80CBAA

Function 0073910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006C7620: _wcslen.LIBCMT ref: 006C7625

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007394E5
_wcslen.LIBCMT ref: 00739506
_wcslen.LIBCMT ref: 0073952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00739585

Strings

X, xrefs: 00739412

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 14521a5eb3e1e7f271602c7f1731198c5e74b1231aefa2c2b484ae2d7eed5246
Instruction ID: a7e2d09b266a1c368ec5592c6153cf55fed50c62eccbcca32f8f688de178b3ca
Opcode Fuzzy Hash: 14521a5eb3e1e7f271602c7f1731198c5e74b1231aefa2c2b484ae2d7eed5246
Instruction Fuzzy Hash: D5E1AB716083409FD764EF24C881F6AB7E1FF84314F04896DE9899B2A2DB75ED04CB96

Function 006D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

BeginPaint.USER32(?,?,?), ref: 006D9241
GetWindowRect.USER32(?,?), ref: 006D92A5
ScreenToClient.USER32(?,?), ref: 006D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006D92D3
EndPaint.USER32(?,?,?,?,?), ref: 006D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007171EA

Part of subcall function 006D9339: BeginPath.GDI32(00000000), ref: 006D9357

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: a2cadbf2f306054eb26c1d44f01e2fefe7c30fdc16cf715ba1812261bf392356
Instruction ID: cd5a9f1bb5e3278c759ed064f1b948c9167c43c5103135be800bc553f31ff8f2
Opcode Fuzzy Hash: a2cadbf2f306054eb26c1d44f01e2fefe7c30fdc16cf715ba1812261bf392356
Instruction Fuzzy Hash: 26410E30504301AFD711DF24CC84FBA3BB9EB89331F00422AF994872E1C778A946DB61

Function 007307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0073080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00730847
EnterCriticalSection.KERNEL32(?), ref: 00730863
LeaveCriticalSection.KERNEL32(?), ref: 007308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00730921

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 758b5c349cfe04a4c159d998c8e2dea918bd0cff68cb09ac9bb0fa29bcaf3cee
Instruction ID: 1abf96a1594f22f3b2af40c44b9b51b18873474694069a99416c4e501474909d
Opcode Fuzzy Hash: 758b5c349cfe04a4c159d998c8e2dea918bd0cff68cb09ac9bb0fa29bcaf3cee
Instruction Fuzzy Hash: B1419C71900305EFEF059F54DC85AAA77B9FF04310F1080A9ED049A297DB74EE60DBA8

Function 007581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0071F3AB,00000000,?,?,00000000,?,0071682C,00000004,00000000,00000000), ref: 0075824C
EnableWindow.USER32(?,00000000), ref: 00758272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007582D1
ShowWindow.USER32(?,00000004), ref: 007582E5
EnableWindow.USER32(?,00000001), ref: 0075830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0075832F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 933beea219422e69201db9c2800f9f65afb8c193ac24cf8a19486bda56dc67ca
Instruction ID: f1944e1e4e5f1ba765fb6233a179180dd293a9a858c4b73feaf05bd6c58f85b2
Opcode Fuzzy Hash: 933beea219422e69201db9c2800f9f65afb8c193ac24cf8a19486bda56dc67ca
Instruction Fuzzy Hash: 3F41D830601740EFDF52CF14C899BE87BE0FB09716F1841A5E9089B272C7B9685ACF45

Function 00724C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00724C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00724CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00724CEA
_wcslen.LIBCMT ref: 00724D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00724D10
_wcsstr.LIBVCRUNTIME ref: 00724D1A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: cdecafaf587b1009cad2fe104c7be0b7fb29c900be42cd4407086383564c0185
Instruction ID: 5abe949328a27334af40516badbf4c1886a4020d4db21da0cc62102f03dd8467
Opcode Fuzzy Hash: cdecafaf587b1009cad2fe104c7be0b7fb29c900be42cd4407086383564c0185
Instruction Fuzzy Hash: 7F212932604310BBEB165B39FC09E7B7B9DDF45750F10807EF905CA192DAA9CD4086A0

Function 0073581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006C3A97,?,?,006C2E7F,?,?,?,00000000), ref: 006C3AC2

_wcslen.LIBCMT ref: 0073587B
CoInitialize.OLE32(00000000), ref: 00735995
CoCreateInstance.OLE32(0075FCF8,00000000,00000001,0075FB68,?), ref: 007359AE
CoUninitialize.OLE32 ref: 007359CC

Strings

.lnk, xrefs: 00735876, 007358C1, 00735985

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 2839b9256c79da1326e20b7273aed1ae72ea4c2cf5aa78f0232a32cfc4119aa5
Instruction ID: f002c2d9692027ca804c428a605ee78010b41dfc58c0b1ae3388b7031b25c274
Opcode Fuzzy Hash: 2839b9256c79da1326e20b7273aed1ae72ea4c2cf5aa78f0232a32cfc4119aa5
Instruction Fuzzy Hash: 1CD153B16087019FD714DF24C484A2ABBE6EF89720F14885DF8899B362DB35ED45CB92

Function 0072175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00720FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00720FCA
Part of subcall function 00720FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00720FD6
Part of subcall function 00720FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00720FE5
Part of subcall function 00720FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00720FEC
Part of subcall function 00720FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00721002

GetLengthSid.ADVAPI32(?,00000000,00721335), ref: 007217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007217BA
HeapAlloc.KERNEL32(00000000), ref: 007217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007217DA
GetProcessHeap.KERNEL32(00000000,00000000,00721335), ref: 007217EE
HeapFree.KERNEL32(00000000), ref: 007217F5

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ec8b2f80375522580cbbb5c70e08988ff4d64aee590b8f234c4878c5761aa339
Instruction ID: d0ecc864b1833f2040d9b547d24912f9766ec2fa6c2fcc993b4eebb4c4efa631
Opcode Fuzzy Hash: ec8b2f80375522580cbbb5c70e08988ff4d64aee590b8f234c4878c5761aa339
Instruction Fuzzy Hash: 3111DC71500714EFDB118FA4EC49BAE7BA8FB91316F508018F44197211C779A900CBA0

Function 007214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00721506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00721515
CloseHandle.KERNEL32(00000004), ref: 00721520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0072154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00721563

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a16d523b7795808eb5281e9847fbedca7a3912fe91f4c6159bcc316c0157d8e3
Instruction ID: 7fa7cca0489f63c37af24c73f08099a85eb5b16195147beeaa56c7e94d60bc5c
Opcode Fuzzy Hash: a16d523b7795808eb5281e9847fbedca7a3912fe91f4c6159bcc316c0157d8e3
Instruction Fuzzy Hash: BC11597250038DAFDF128F98ED49BDE7BA9FF48705F048054FA05A2060C3B98E60DB60

Function 006E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006E3379,006E2FE5), ref: 006E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006E33B7
SetLastError.KERNEL32(00000000,?,006E3379,006E2FE5), ref: 006E3409

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c491f29c8eb7b8b8bd9d9067a6c2faa071b393bd962db5cb3625a541efcdda33
Instruction ID: d4f96513b5fb7bf85f69e4e9bffdf185ea00b7a1ec5dfd0f1bfff19871cc5ccb
Opcode Fuzzy Hash: c491f29c8eb7b8b8bd9d9067a6c2faa071b393bd962db5cb3625a541efcdda33
Instruction Fuzzy Hash: 9501F53220B3B1AEA72727777C8DAA62B96EB153B5730422DF410873F0EF614D01566C

Function 006F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006F5686,00703CD6,?,00000000,?,006F5B6A,?,?,?,?,?,006EE6D1,?,00788A48), ref: 006F2D78
_free.LIBCMT ref: 006F2DAB
_free.LIBCMT ref: 006F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,006EE6D1,?,00788A48,00000010,006C4F4A,?,?,00000000,00703CD6), ref: 006F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,006EE6D1,?,00788A48,00000010,006C4F4A,?,?,00000000,00703CD6), ref: 006F2DEC
_abort.LIBCMT ref: 006F2DF2

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c710e6dcb43925d81e71f0fd60df0e01df71c58fca33c2f24cc5c0650a6dfad2
Instruction ID: bd183a1792753fca7c6454d4d10cab44e0df7f2c8390376a9ad8f9dfa99d08c7
Opcode Fuzzy Hash: c710e6dcb43925d81e71f0fd60df0e01df71c58fca33c2f24cc5c0650a6dfad2
Instruction Fuzzy Hash: D6F0F931545B0F2BC25327347C3AABA2557AFC2BA1B20401CFB24922D2DE6889014969

Function 00758A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006D9693
Part of subcall function 006D9639: SelectObject.GDI32(?,00000000), ref: 006D96A2
Part of subcall function 006D9639: BeginPath.GDI32(?), ref: 006D96B9
Part of subcall function 006D9639: SelectObject.GDI32(?,00000000), ref: 006D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00758A4E
LineTo.GDI32(?,00000003,00000000), ref: 00758A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00758A70
LineTo.GDI32(?,00000000,00000003), ref: 00758A80
EndPath.GDI32(?), ref: 00758A90
StrokePath.GDI32(?), ref: 00758AA0

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 3cb378d58e2e1b25665e34f63e21ba5556bde3a10bd9a3919d93723e488dc9d6
Instruction ID: 52e737acebb7f081ebe6143b5a32b76b39daf40c033bc5ea6562a51253ad9ab8
Opcode Fuzzy Hash: 3cb378d58e2e1b25665e34f63e21ba5556bde3a10bd9a3919d93723e488dc9d6
Instruction Fuzzy Hash: 6F110C7600024DFFDB129F90DC88FEA7F6DEB04361F04C016BA19991A1C7B59D55DBA4

Function 007251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00725218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00725229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00725230
ReleaseDC.USER32(00000000,00000000), ref: 00725238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0072524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00725261

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8b1d84624ca2da6a07814262749d5d919c8a7500611cd98640a160b5c761bda0
Instruction ID: 2a42cac2fa58eac94a3952b058299ca926f545bd30ceb6058e1b93f94149c820
Opcode Fuzzy Hash: 8b1d84624ca2da6a07814262749d5d919c8a7500611cd98640a160b5c761bda0
Instruction Fuzzy Hash: ED0144B5A00718BFEB115BA59C49B9EBFB8FB44752F048065FA04A7281D6749900CB64

Function 006C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006C1C22

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d55cbadfcd610a4eb1d6d813fab4a282ef4a9947360548802f332f05f8931c06
Instruction ID: 94bd0ebf5ba9346a8572828e5a6a6af26a4a4c52332f7b995053e9926e9384c2
Opcode Fuzzy Hash: d55cbadfcd610a4eb1d6d813fab4a282ef4a9947360548802f332f05f8931c06
Instruction Fuzzy Hash: 510167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CBE5

Function 0072EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0072EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0072EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0072EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0072EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0072EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0072EB75

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 68d035c891347e6f949fd0f8ee736a62f98544981aac633d019393276812a65b
Instruction ID: 494261608544726a6f6e3148c87e1cead83840e745c2bf9bf1bc5d5f0a528b6e
Opcode Fuzzy Hash: 68d035c891347e6f949fd0f8ee736a62f98544981aac633d019393276812a65b
Instruction Fuzzy Hash: B5F01DB2140758BFE62257529C0EFEB3A7CEBCAB12F008158F601D109196E85A0186B9

Function 00717439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00717452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00717469
GetWindowDC.USER32(?), ref: 00717475
GetPixel.GDI32(00000000,?,?), ref: 00717484
ReleaseDC.USER32(?,00000000), ref: 00717496
GetSysColor.USER32(00000005), ref: 007174B0

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 33d89ab891da8e05392baa2b2318d50237a064c6c10246c9b9a1603ea2b52f4b
Instruction ID: 037c3b07e8bc0dc1a9dbbffcdce311174e4db18b7c2ed46a8c7e27919c12b029
Opcode Fuzzy Hash: 33d89ab891da8e05392baa2b2318d50237a064c6c10246c9b9a1603ea2b52f4b
Instruction Fuzzy Hash: 18018B31800305EFEB125FA4DC08BEA7BB5FB04312F608060FD16A31A0CB791E51EB54

Function 00721874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0072187F
UnloadUserProfile.USERENV(?,?), ref: 0072188B
CloseHandle.KERNEL32(?), ref: 00721894
CloseHandle.KERNEL32(?), ref: 0072189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007218A5
HeapFree.KERNEL32(00000000), ref: 007218AC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 87efe14c45da36ccb5e9c380c7906bebb2d1d2054eeffb5238bea975ce058dc0
Instruction ID: 7277141524963e4b8dcaf2a5cd019e37d797fd3305c968578f9299f55af66975
Opcode Fuzzy Hash: 87efe14c45da36ccb5e9c380c7906bebb2d1d2054eeffb5238bea975ce058dc0
Instruction Fuzzy Hash: 45E0C976004749BFDA025BA1ED0CA85BB69FB49722710C620F22581470CBB65460DB54

Function 006CBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006CBEB3

Strings

D%y, xrefs: 006CBCA2
D%y, xrefs: 006CBDED, 006CBD91, 006CBD1B
D%yD%y, xrefs: 006CBCA5
D%y, xrefs: 006CBE9A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%y$D%y$D%y$D%yD%y
API String ID: 1385522511-2680773410
Opcode ID: b7e28e6ea158cc0c5c0e693f3a3b19f629f18b633c4f5b8562f15e7c661a0fea
Instruction ID: f3d15b1d102cbe291e5106e8ed2ec36960467dc3f2d2f32edb2fca9eedcec1d6
Opcode Fuzzy Hash: b7e28e6ea158cc0c5c0e693f3a3b19f629f18b633c4f5b8562f15e7c661a0fea
Instruction Fuzzy Hash: 24912A75A0020ADFCB14CF59C092ABAB7F2FF58314F24916ED946AB351D771AD82CB90

Function 00747B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 006E0242: EnterCriticalSection.KERNEL32(0079070C,00791884,?,?,006D198B,00792518,?,?,?,006C12F9,00000000), ref: 006E024D
Part of subcall function 006E0242: LeaveCriticalSection.KERNEL32(0079070C,?,006D198B,00792518,?,?,?,006C12F9,00000000), ref: 006E028A

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 006E00A3: __onexit.LIBCMT ref: 006E00A9

__Init_thread_footer.LIBCMT ref: 00747BFB

Part of subcall function 006E01F8: EnterCriticalSection.KERNEL32(0079070C,?,?,006D8747,00792514), ref: 006E0202
Part of subcall function 006E01F8: LeaveCriticalSection.KERNEL32(0079070C,?,006D8747,00792514), ref: 006E0235

Strings

G, xrefs: 00747C7F
+Tq, xrefs: 00747E2E
5, xrefs: 00747C78
Variable must be of type 'Object'., xrefs: 00747C3A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tq$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3279618855
Opcode ID: 9142e9b22e6c8fff93a682ad31011c1c99bfaca3fc82cba9b5e58d1db1fd7f83
Instruction ID: 596f55ad914f7d51317af4b15914476f44e14e049545bcb3c09d0309e0c3f8b3
Opcode Fuzzy Hash: 9142e9b22e6c8fff93a682ad31011c1c99bfaca3fc82cba9b5e58d1db1fd7f83
Instruction Fuzzy Hash: 6F916A70A04209EFCB18EF94D895DBDB7B6EF45304F10805DF806AB292DB79AE45CB61

Function 0072C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C7620: _wcslen.LIBCMT ref: 006C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0072C6EE
_wcslen.LIBCMT ref: 0072C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0072C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0072C7CA

Strings

0, xrefs: 0072C6AF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: d56efa59222d7ac8be33c45415a0588dcf996595a68b83e8b1674c421a0c941e
Instruction ID: 7830e37f2102a1d415be5f16e17fc820dacd4470fa7c1b3904a3981444505aef
Opcode Fuzzy Hash: d56efa59222d7ac8be33c45415a0588dcf996595a68b83e8b1674c421a0c941e
Instruction Fuzzy Hash: C3511F716043219BD7529F28E885B6F77E8EF69310F040A2DF996E32A0DB78DD04CB56

Function 0074AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0074AEA3

Part of subcall function 006C7620: _wcslen.LIBCMT ref: 006C7625

GetProcessId.KERNEL32(00000000), ref: 0074AF38
CloseHandle.KERNEL32(00000000), ref: 0074AF67

Strings

<, xrefs: 0074AE6B
@, xrefs: 0074AE72

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 9540a1b59d450766888e0f94521e4c7c83d671b47a33111a99b1a52482e10cb9
Instruction ID: d8f44f527d3ff10ac86b17bbac297fed631f608cdff8a92c772ce039b1760803
Opcode Fuzzy Hash: 9540a1b59d450766888e0f94521e4c7c83d671b47a33111a99b1a52482e10cb9
Instruction Fuzzy Hash: 5A713570A00619EFCB14DF54C485AAEBBF1EF08314F04849DE826AB362CB78ED45CB95

Function 0072719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00727206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0072723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0072724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007272CF

Strings

DllGetClassObject, xrefs: 00727242

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: cd2efee7e1360a46b94027fd002a9e25d3433aff01b7d1726af658ccb51df85c
Instruction ID: aca6bbaa9e1b0776973d6f7993c11cc040a680adc31d039dbd8205091def18f5
Opcode Fuzzy Hash: cd2efee7e1360a46b94027fd002a9e25d3433aff01b7d1726af658ccb51df85c
Instruction Fuzzy Hash: 83414AB2A04214EFDB19CF54D984A9A7BF9FF48310B1580ADFD059F20AD7B8D944DBA0

Function 00753D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00753E35
IsMenu.USER32(?), ref: 00753E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00753E92
DrawMenuBar.USER32 ref: 00753EA5

Strings

0, xrefs: 00753D89

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 3e208f43d40aaa9fb93d1262fe7797755c55c354ed42e8b11289deb3b6bb6c10
Instruction ID: c602b04d158b8343022c29a538ff25be73a4fcd2ff6d8107ce8d3a5594891db6
Opcode Fuzzy Hash: 3e208f43d40aaa9fb93d1262fe7797755c55c354ed42e8b11289deb3b6bb6c10
Instruction Fuzzy Hash: 36418C74A00209AFDB10DF90D885EEAB7F5FF44391F048019EC1597260D7B8AE59CF60

Function 00721DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00721E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00721E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00721EA9

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

Strings

ComboBox, xrefs: 00721DF0
ListBox, xrefs: 00721E25

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ce6081e08822782458cf402b321f91cab4d2a0bbae500909e14c9f4ca0cee5ce
Instruction ID: 1704f1a0a2a1bebb465c90fac1dac9bf3505a00b246a6ec56655866928a7371a
Opcode Fuzzy Hash: ce6081e08822782458cf402b321f91cab4d2a0bbae500909e14c9f4ca0cee5ce
Instruction Fuzzy Hash: 7F2123B1E00204BEDB14AB60EC49DFFBBB9EF51350B54452DF825A31E0DB7C4A098624

Function 0074C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0074C9F1
_wcslen.LIBCMT ref: 0074CA68
_wcslen.LIBCMT ref: 0074CA9E
_wcslen.LIBCMT ref: 0074CAF9
_wcslen.LIBCMT ref: 0074CB2F
_wcslen.LIBCMT ref: 0074CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0074CA62, 0074CA67
HKLM, xrefs: 0074CA98, 0074CA9D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 5455488243607cfaecb64bde67aa3a01b9e3d20a419d957a05f1296fe0a78d8f
Instruction ID: 5bcdcd5be313e7455d0f753508d22c8e6d138925eadbdbe86f1c43eb76b53248
Opcode Fuzzy Hash: 5455488243607cfaecb64bde67aa3a01b9e3d20a419d957a05f1296fe0a78d8f
Instruction Fuzzy Hash: 95312873B4216A4BCB62EF3C88405BE33929BA1750B15C02EE851AB345FB79CD44C3E4

Function 00752F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00752F8D
LoadLibraryW.KERNEL32(?), ref: 00752F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00752FA9
DestroyWindow.USER32(?), ref: 00752FB1

Strings

SysAnimate32, xrefs: 00752F68

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 7ee6d9e1693cd78c46623c12e313f8179651c2cc79fd84c528efd55861eccaf4
Instruction ID: d43ed692f61aedbcd264b38e5bdc19b7c7ec7ef96d65ba9dc02bc97644697df5
Opcode Fuzzy Hash: 7ee6d9e1693cd78c46623c12e313f8179651c2cc79fd84c528efd55861eccaf4
Instruction Fuzzy Hash: 4521BB71204205ABEB114F64EC80FFB37B9EB5A326F104618FD10A60E1C2B9DC569B60

Function 006E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006E4D1E,006F28E9,?,006E4CBE,006F28E9,007888B8,0000000C,006E4E15,006F28E9,00000002), ref: 006E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,006E4D1E,006F28E9,?,006E4CBE,006F28E9,007888B8,0000000C,006E4E15,006F28E9,00000002,00000000), ref: 006E4DC3

Strings

CorExitProcess, xrefs: 006E4D98
mscoree.dll, xrefs: 006E4D86

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4f257442ee911a7920dcb6af8e9b1bfe8e3e921adf08e1febadb93aa7b89d8bc
Instruction ID: 5c7ef2e008c64a07323ee97b777bec1daa727490c03550f47dc520882850e451
Opcode Fuzzy Hash: 4f257442ee911a7920dcb6af8e9b1bfe8e3e921adf08e1febadb93aa7b89d8bc
Instruction Fuzzy Hash: 40F03174541308AFDB115FA5DC49BDEBBA5EF44752F0440A4A805A6250DF745940CB95

Function 0071D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0071D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0071D3BF
FreeLibrary.KERNEL32(00000000), ref: 0071D3E5

Strings

X64, xrefs: 0071D2A8
GetSystemWow64DirectoryW, xrefs: 0071D3B9

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 7c957499d5b506394f4842436b96c7feb7c29e5bd927bbe99d9751d3f5fbc637
Instruction ID: bba9fb9df96fdc911c836323e61b3e60802f9cf1d160286182e889eb96dc5cd1
Opcode Fuzzy Hash: 7c957499d5b506394f4842436b96c7feb7c29e5bd927bbe99d9751d3f5fbc637
Instruction Fuzzy Hash: 25F0A0B5905B25DBD73627188C98AE97725AF11B02B64815AE822E1184DBBCCDC08E96

Function 006C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006C4EDD,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006C4EAE
FreeLibrary.KERNEL32(00000000,?,?,006C4EDD,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 006C4EA8
kernel32.dll, xrefs: 006C4E94

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ef77ba442c0d8bc0bcd7f5ed1f42417784e251a49ee35ab3a0861783511b6423
Instruction ID: 7aae984219145427718e7e9ef0d4f294cfc65ffce2440c32b733f1513379c917
Opcode Fuzzy Hash: ef77ba442c0d8bc0bcd7f5ed1f42417784e251a49ee35ab3a0861783511b6423
Instruction Fuzzy Hash: F1E08675A01B225F922367256C28FEB6A55EF85F637064119FC00E2200DFA8CD0181A4

Function 006C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00703CDE,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006C4E74
FreeLibrary.KERNEL32(00000000,?,?,00703CDE,?,00791418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E87

Strings

kernel32.dll, xrefs: 006C4E5B
Wow64RevertWow64FsRedirection, xrefs: 006C4E6E

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 0cda887f05ed404a92f50cda86f73b546fe338329a7d8f26e68de39a9500745b
Instruction ID: c874f7d3538bc95378adc180d56bc5ac9d27c8960ae14a8ecdbc7fa6bb95fb6d
Opcode Fuzzy Hash: 0cda887f05ed404a92f50cda86f73b546fe338329a7d8f26e68de39a9500745b
Instruction Fuzzy Hash: 90D0C271502B215B46231B287C28FDB2A1AEF89F12306411ABC00A2210CFA8CD01C1D4

Function 00732947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00732C05
DeleteFileW.KERNEL32(?), ref: 00732C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00732C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00732CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00732CC0

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5d3ee5dd4916ea1d39931685bada45cb1b54e9b81a36a65bb60f9963fb6f2d3f
Instruction ID: db1cc21148f6738480aaf65700a055cae92879eadf6d33f454ec7a3df638092a
Opcode Fuzzy Hash: 5d3ee5dd4916ea1d39931685bada45cb1b54e9b81a36a65bb60f9963fb6f2d3f
Instruction Fuzzy Hash: 80B16271D01219ABDF11DFA4CC89EDEB77DEF08310F1040AAF609E6152EB349A458F65

Function 0074A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0074A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0074A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0074A468
CloseHandle.KERNEL32(?), ref: 0074A63D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 5bc9be1d74e42f2d7b58e16d61ac01a6e1067e48cfa91f288a7a88f871c63d5f
Instruction ID: 45f34cc1dcc453436ba0be603fc90d70e41e3b5c6579bbc11f6b0ee47af61c92
Opcode Fuzzy Hash: 5bc9be1d74e42f2d7b58e16d61ac01a6e1067e48cfa91f288a7a88f871c63d5f
Instruction Fuzzy Hash: 09A1A071644300AFE760DF28C886F2AB7E6EF84714F14885DF55A9B392D7B4EC418B86

Function 0072E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0072DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0072CF22,?), ref: 0072DDFD

Part of subcall function 0072DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0072CF22,?), ref: 0072DE16

Part of subcall function 0072E199: GetFileAttributesW.KERNEL32(?,0072CF95), ref: 0072E19A

lstrcmpiW.KERNEL32(?,?), ref: 0072E473
MoveFileW.KERNEL32(?,?), ref: 0072E4AC
_wcslen.LIBCMT ref: 0072E5EB
_wcslen.LIBCMT ref: 0072E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0072E650

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: b5d424af26ec354806e8106a44815b62103494de617c5c686227adc287034c0d
Instruction ID: 37f25cb1ff0851d73af8df557531d437822e84b64f4a2be89bbb8a73d03d2560
Opcode Fuzzy Hash: b5d424af26ec354806e8106a44815b62103494de617c5c686227adc287034c0d
Instruction Fuzzy Hash: 795186B24083959BC764EBA0DC85DDF73EDAF84340F00492EF589D3151EF78A688876A

Function 0074B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 0074C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074C9F1
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA68
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0074BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0074BB63
RegCloseKey.ADVAPI32(?,?), ref: 0074BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0074BBB3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 5f8d15ea5a2a5b4a1ddc624857ef030735b27dd2203747ffeb493b5a6d4f2bb4
Instruction ID: 10d9abc5e3cc260e4ecd84e7e8e3b02b5c41ff513885c453703f3c29964ff55a
Opcode Fuzzy Hash: 5f8d15ea5a2a5b4a1ddc624857ef030735b27dd2203747ffeb493b5a6d4f2bb4
Instruction Fuzzy Hash: 77619C71208241AFD714DF24C895F2ABBE5FF84308F54899CF4998B2A2DB35ED45CB92

Function 00728BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00728BCD
VariantClear.OLEAUT32 ref: 00728C3E
VariantClear.OLEAUT32 ref: 00728C9D
VariantClear.OLEAUT32(?), ref: 00728D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00728D3B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 43ed8df709a8b88d4f2a02c5300430b4998afd3e8e10012f502d8fed5622ce79
Instruction ID: 8f8e34e3a1fdfe3e1313db04c93975f6b9a13d1a8d269058f765983e8933c00f
Opcode Fuzzy Hash: 43ed8df709a8b88d4f2a02c5300430b4998afd3e8e10012f502d8fed5622ce79
Instruction Fuzzy Hash: 8C5179B1A01219EFDB10CF68D884AAABBF8FF8D310B158559E915DB350E735E911CBA0

Function 00738AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00738BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00738BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00738C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00738C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00738C5F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 318c3a17e641d6b8101d4c3e1d39347b408fcbea23924e787171b05a5e3bb998
Instruction ID: 36677a58314168925c1dc7ec177570d7f120b78a3cbdee310154c6d9c59fe70a
Opcode Fuzzy Hash: 318c3a17e641d6b8101d4c3e1d39347b408fcbea23924e787171b05a5e3bb998
Instruction Fuzzy Hash: 57515935A00215AFDB41DF64C880E69BBF2FF48314F08809CE809AB362CB35ED51CBA5

Function 00748EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00748F40
GetProcAddress.KERNEL32(00000000,?), ref: 00748FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00748FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00749032
FreeLibrary.KERNEL32(00000000), ref: 00749052

Part of subcall function 006DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00731043,?,753CE610), ref: 006DF6E6
Part of subcall function 006DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0071FA64,00000000,00000000,?,?,00731043,?,753CE610,?,0071FA64), ref: 006DF70D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 0d17e6ae10f75c0f7d1748436e63220a6269d0a9e6beba0258f686e8ab823b21
Instruction ID: 9c271ab03782c1ca75adf18d250f6c0be7a3924a2093a7dbad96fa00300d138d
Opcode Fuzzy Hash: 0d17e6ae10f75c0f7d1748436e63220a6269d0a9e6beba0258f686e8ab823b21
Instruction Fuzzy Hash: 00513935600209DFCB55DF68C484DADBBB2FF49314F088099E906AB362DB35ED85CB95

Function 00756B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00756C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00756C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00756C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0073AB79,00000000,00000000), ref: 00756C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00756CC7

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cdcc517dfd9319949b1a8958edde347d448e7bceff6b75e2231ffa0229531d74
Instruction ID: 9f1b7531ca2dcf9cb48758b9ac16face1ea9f113a7fd94260388896785ab90ae
Opcode Fuzzy Hash: cdcc517dfd9319949b1a8958edde347d448e7bceff6b75e2231ffa0229531d74
Instruction Fuzzy Hash: 87410435A00204AFD725CF28CC58FE97BA5EB09361F954268FC95A72E0C7B9FD45CA60

Function 006F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006F20C3
_free.LIBCMT ref: 006F20E3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e79b17427180a1b3fcddb6b5ade80d4a60f734f4302219c867e46994b4a917b5
Instruction ID: 8de39c68abc3b5deaff5951e3784c2dc09a36fe2788101f005d60c4d4ccf4968
Opcode Fuzzy Hash: e79b17427180a1b3fcddb6b5ade80d4a60f734f4302219c867e46994b4a917b5
Instruction Fuzzy Hash: AD41E432A00209AFCB20DF78C890AADB7A6EF89314F154569E715EB391DA31AD01CB84

Function 006D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006D9141
ScreenToClient.USER32(00000000,?), ref: 006D915E
GetAsyncKeyState.USER32(00000001), ref: 006D9183
GetAsyncKeyState.USER32(00000002), ref: 006D919D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 51fe91e8ff093df7c842827e4ef5988e7acb602fd811dcef7a15528b348cfe23
Instruction ID: 368583f65d32494adf6db737f212f8588596957279ed4cbf196ba77a8bd347fa
Opcode Fuzzy Hash: 51fe91e8ff093df7c842827e4ef5988e7acb602fd811dcef7a15528b348cfe23
Instruction Fuzzy Hash: C241703190860AFBDF099F68CC48BEEB775FB45320F20821AE425A33D0D7786994DB61

Function 00733874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00733922
TranslateMessage.USER32(?), ref: 0073394B
DispatchMessageW.USER32(?), ref: 00733955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00733966

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 111698587feebe1b88cb7c31cc4196b689645a2bde4d2f2d2debc0d2b25e3f11
Instruction ID: f4f497f18922e9c0c4a93006046ddec5875f2b33e0b0b5e6c971012845c25ba0
Opcode Fuzzy Hash: 111698587feebe1b88cb7c31cc4196b689645a2bde4d2f2d2debc0d2b25e3f11
Instruction Fuzzy Hash: 1131F970904346DEFB35CB349849FB637A4EB05308F54456EE4A6C20A2E3FCB686CB25

Function 0073CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0073C21E,00000000), ref: 0073CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0073CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0073C21E,00000000), ref: 0073CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0073C21E,00000000), ref: 0073CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0073C21E,00000000), ref: 0073CFF2

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 683e1fdeadfec31071739766cee8683031239b6381d6de6e34d6f2d7067da224
Instruction ID: 66469690e15929e41bfaa3aabae4c044831c36d2969cf85303cc941b178db4bf
Opcode Fuzzy Hash: 683e1fdeadfec31071739766cee8683031239b6381d6de6e34d6f2d7067da224
Instruction Fuzzy Hash: 19314F72500706AFEB21DFA5C884AABBBF9EF14355F10842EF506E2142D778AE41DB60

Function 00721901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00721915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007219E2

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fc467bd5f6dda2dedc55f78169d52fc174591c9eca4bbb2b2f20175c1ef7786e
Instruction ID: 100765c7e94f562b9597268158f758da688fefaaafe1b1ef9d6ccf3568fbee0b
Opcode Fuzzy Hash: fc467bd5f6dda2dedc55f78169d52fc174591c9eca4bbb2b2f20175c1ef7786e
Instruction Fuzzy Hash: 5631AF71900269EFCB00CFA8DD99BDE7BB5FB14315F108225F961A72D1C7B4AA84CB90

Function 00755706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00755745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0075579D
_wcslen.LIBCMT ref: 007557AF
_wcslen.LIBCMT ref: 007557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00755816

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: c9d6ac21f0f166625eee7d82a549da5d8d6f18b498e12f33384bb84d91189f50
Instruction ID: 5144c5ebb8c7b673f63155a598eeca33ceee09ceca402e81c8ecd32d2e346af4
Opcode Fuzzy Hash: c9d6ac21f0f166625eee7d82a549da5d8d6f18b498e12f33384bb84d91189f50
Instruction Fuzzy Hash: 4F21A571904658DADB218FA0CC84EED77B8FF04322F108256ED19EA180D7B89A89CF50

Function 00740930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00740951
GetForegroundWindow.USER32 ref: 00740968
GetDC.USER32(00000000), ref: 007409A4
GetPixel.GDI32(00000000,?,00000003), ref: 007409B0
ReleaseDC.USER32(00000000,00000003), ref: 007409E8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6eefaba8fc9267bb2b3ecedc4dfe13d54c0cc9f62a277d111952a8b06e15d4fa
Instruction ID: 00fada27bdd0626b56280f5296d19ef8fea133c453c971a6b94d71dcb0cba3c9
Opcode Fuzzy Hash: 6eefaba8fc9267bb2b3ecedc4dfe13d54c0cc9f62a277d111952a8b06e15d4fa
Instruction Fuzzy Hash: A6218135A00214AFD704EF65C889AAEBBE5EF48701F04C46CF94AD7752DB74AD04CB90

Function 006FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006FCDE9

Part of subcall function 006F3820: RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006FCE0F
_free.LIBCMT ref: 006FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006FCE31

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5d1ce0bf6fdf1e69ad1c88a976bbf62e0273b92c1c6717fb1fbdc701892e60b0
Instruction ID: 4d204d2a0c2566a4816a3af2674f6fbdad994e6aa82d9962361bfdd33b633ef7
Opcode Fuzzy Hash: 5d1ce0bf6fdf1e69ad1c88a976bbf62e0273b92c1c6717fb1fbdc701892e60b0
Instruction Fuzzy Hash: C101D872A0171E7F6321167A6D48DFB696EDEC6BB1315412DFA05C7200DE658D0281F4

Function 006D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006D9693
SelectObject.GDI32(?,00000000), ref: 006D96A2
BeginPath.GDI32(?), ref: 006D96B9
SelectObject.GDI32(?,00000000), ref: 006D96E2

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c4fc4ef115dadd43d64ef55b370536dbc54de334442e286d96b8694f87e91d8b
Instruction ID: c8db515559f1a260377b558ad42f21a26d727d3f9cf384c3f9304c1073a33f5b
Opcode Fuzzy Hash: c4fc4ef115dadd43d64ef55b370536dbc54de334442e286d96b8694f87e91d8b
Instruction Fuzzy Hash: E6218370801786EFEB129F65DC047E93B75BB00365F508217F414A63F0D379A8A2CBA8

Function 00725711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00725726
_memcmp.LIBVCRUNTIME ref: 00725744
_memcmp.LIBVCRUNTIME ref: 00725757
_memcmp.LIBVCRUNTIME ref: 0072576F
_memcmp.LIBVCRUNTIME ref: 00725787

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a4692291681031acb6bd4263918a82d09eda9fae4242fc38fda2fa12b1a1b8ec
Instruction ID: e51d9a8610e4ff9ceaa8be8d8fccd12fa08e763fc781bb0d544e20702846ba27
Opcode Fuzzy Hash: a4692291681031acb6bd4263918a82d09eda9fae4242fc38fda2fa12b1a1b8ec
Instruction Fuzzy Hash: D00192B1682A69BA92089521AE92EFB635D9B213A5F004034FD049E341FA78ED1492B4

Function 006F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,006EF2DE,006F3863,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6), ref: 006F2DFD
_free.LIBCMT ref: 006F2E32
_free.LIBCMT ref: 006F2E59
SetLastError.KERNEL32(00000000,006C1129), ref: 006F2E66
SetLastError.KERNEL32(00000000,006C1129), ref: 006F2E6F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 96ec4c0531cc2cca026888884909bed41fc21497b28dda960e4e59a5e8ede2af
Instruction ID: ec16805d0b3d1480fd11fa09485027f45e0a00a2f451a6cccb4411c6b7ef3e8e
Opcode Fuzzy Hash: 96ec4c0531cc2cca026888884909bed41fc21497b28dda960e4e59a5e8ede2af
Instruction Fuzzy Hash: 1401497224470E2BC61323746C96DBB195BBBC2761730402CFB20923A2EE788C014924

Function 0072000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?,?,0072035E), ref: 0072002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?), ref: 00720064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720070

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 443e72a5cbe0803f325255d5252e79c7df043592a892198305e9b10594075958
Instruction ID: c946a0052cd8335b8f898b97e36c24d143bafce8987c9b03caa6d77a80fea632
Opcode Fuzzy Hash: 443e72a5cbe0803f325255d5252e79c7df043592a892198305e9b10594075958
Instruction Fuzzy Hash: F4018476A00314BFEB214F64EC48BBA7AADEB44752F148114F905D6221D7B9DD4097A4

Function 0072E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0072E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0072E9A5
Sleep.KERNEL32(00000000), ref: 0072E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0072E9B7
Sleep.KERNEL32 ref: 0072E9F3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3a5a953c8f3a7697ea8c92922d2e8829929a6e75793109e278c0d8738792cfd3
Instruction ID: f3434813a0d681437b6127fa497c50e139ec8b931fd0770881b7ade0af64d15d
Opcode Fuzzy Hash: 3a5a953c8f3a7697ea8c92922d2e8829929a6e75793109e278c0d8738792cfd3
Instruction Fuzzy Hash: 14015B71C0163DDBCF00ABE4E8596DDBB78BB08701F004546E542B2241DB78A594C7A6

Function 007210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00721114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 0072112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0072114D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cb250ec7c982f4d743ca432dda4ecf48bcfad34da18f950707e8f5871c45a374
Instruction ID: d0fddb70089c9a2b2fba97d5cd45dd1baa59932a9f6305c6f31d8704ecbe400c
Opcode Fuzzy Hash: cb250ec7c982f4d743ca432dda4ecf48bcfad34da18f950707e8f5871c45a374
Instruction Fuzzy Hash: 9D016D75100319BFDB124F68EC49AAA3F6EFF89361B104414FA41D3350DA75DC10CA60

Function 00720FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00720FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00720FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00720FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00720FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00721002

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7d44a231f8bb21b38a34b71c9982f82886102eb16eafbcf6c37321e61c265059
Instruction ID: 73feb8dccdeadb3f73a5ed744a8d54b934bd520c7e2b656311e7268ba58aeadd
Opcode Fuzzy Hash: 7d44a231f8bb21b38a34b71c9982f82886102eb16eafbcf6c37321e61c265059
Instruction Fuzzy Hash: 2EF04F75200315AFDB224FA5AC49F9A3BADFF89762F508414F949C6291CAB8DC408A60

Function 00721014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0072102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00721036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00721045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0072104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00721062

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: db718be96e3e66ff634f3b793ba6c08ed76bc6845b2d3712f074f2ec3a17f1b0
Instruction ID: 31bb915051c00853604240d89a5923f774b525fa0603400ec689012a250e5c1c
Opcode Fuzzy Hash: db718be96e3e66ff634f3b793ba6c08ed76bc6845b2d3712f074f2ec3a17f1b0
Instruction Fuzzy Hash: 02F06275200355EFDB225FA5EC49F9A3BADFF89762F504414F945C7290CAB8DC80CA60

Function 0073030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 00730324
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 00730331
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 0073033E
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 0073034B
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 00730358
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 00730365

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6a82aefdcd38da28cd3c25cea1a1fffa767f56550daba0ca934b37272b8809f2
Instruction ID: c9bf6952295b7205f165c3ba1fb85359a9c27122bd1a89e296da1d1425f6b038
Opcode Fuzzy Hash: 6a82aefdcd38da28cd3c25cea1a1fffa767f56550daba0ca934b37272b8809f2
Instruction Fuzzy Hash: 2201AA72800B159FDB30AF66D8A0812FBF9FF603153158A3FD19652932C3B5A998CF80

Function 006FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006FD752

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006FD764
_free.LIBCMT ref: 006FD776
_free.LIBCMT ref: 006FD788
_free.LIBCMT ref: 006FD79A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2c5f1c74b520792bd9676d55ff1d25910dab3e1e4ebe0089e2550fe847cbffc
Instruction ID: 6afc6adf15ea17600df0a97ede329edc362f8a02f04a257c015542201e516788
Opcode Fuzzy Hash: f2c5f1c74b520792bd9676d55ff1d25910dab3e1e4ebe0089e2550fe847cbffc
Instruction Fuzzy Hash: 7AF0FF325C420EAB8662FB69F9C5C6A77DFBB447107A54809F258EB611C774FC808B78

Function 00725C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00725C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00725C6F
MessageBeep.USER32(00000000), ref: 00725C87
KillTimer.USER32(?,0000040A), ref: 00725CA3
EndDialog.USER32(?,00000001), ref: 00725CBD

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d78295058353cf39a4f65dd16fa39f4ebecd99f4c713ed4417e6fbef26a538d8
Instruction ID: 4bc0eb1718c5adc619aaf31d4fe2f77415bce070b034f2a6e6aea066498da243
Opcode Fuzzy Hash: d78295058353cf39a4f65dd16fa39f4ebecd99f4c713ed4417e6fbef26a538d8
Instruction Fuzzy Hash: D8018B305007159FEB215B10ED4EFE577B8FB04706F005559B543614E1E7F86A848A94

Function 006F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006F22BE

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006F22D0
_free.LIBCMT ref: 006F22E3
_free.LIBCMT ref: 006F22F4
_free.LIBCMT ref: 006F2305

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fc05aaa82f2d511a7b2c7b21a4c759d41c82614a5b72dcbfca6cf87aef51050e
Instruction ID: 69c3ce707cc33627a7b697f4865704931e0601e3b49d7ab0bc6e3eb68713f8b2
Opcode Fuzzy Hash: fc05aaa82f2d511a7b2c7b21a4c759d41c82614a5b72dcbfca6cf87aef51050e
Instruction Fuzzy Hash: 09F03A719D01278B8653BF55BC128683B66BB18B60740850BF514D73B1C77C0A22AFEC

Function 006D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006D95D4
StrokeAndFillPath.GDI32(?,?,007171F7,00000000,?,?,?), ref: 006D95F0
SelectObject.GDI32(?,00000000), ref: 006D9603
DeleteObject.GDI32 ref: 006D9616
StrokePath.GDI32(?), ref: 006D9631

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2e282a6380e44118535e2241bfc70622db7cc4fbe54b5be10ce421485fb795b2
Instruction ID: 84ead9ffb6d56b12568318782dffdc418bb293d7920b80b3162d18bbe9123e24
Opcode Fuzzy Hash: 2e282a6380e44118535e2241bfc70622db7cc4fbe54b5be10ce421485fb795b2
Instruction Fuzzy Hash: B8F01930405B89EFDB235F65ED187A43B62AB00376F44C216F429552F0C77999A2DF28

Function 006F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006F10F9
__freea.LIBCMT ref: 006F1117

Part of subcall function 006F1537: _free.LIBCMT ref: 006F154F

Strings

am/pm, xrefs: 006F117A
a/p, xrefs: 006F11DE

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a179fa9705547c50bed1ac434faa7248e54519e9176657643e6dac5f60819f9b
Instruction ID: 035c008eadeb0c88cb2d888008d6daf931616ac533dfbf5c6bbd0793d4348c02
Opcode Fuzzy Hash: a179fa9705547c50bed1ac434faa7248e54519e9176657643e6dac5f60819f9b
Instruction Fuzzy Hash: 80D1E23290020ECADB289F68C8556FAB7B3EF07380F24411AEB119F755DB759E81CB51

Function 007461D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 006E0242: EnterCriticalSection.KERNEL32(0079070C,00791884,?,?,006D198B,00792518,?,?,?,006C12F9,00000000), ref: 006E024D
Part of subcall function 006E0242: LeaveCriticalSection.KERNEL32(0079070C,?,006D198B,00792518,?,?,?,006C12F9,00000000), ref: 006E028A

Part of subcall function 006E00A3: __onexit.LIBCMT ref: 006E00A9

__Init_thread_footer.LIBCMT ref: 00746238

Part of subcall function 006E01F8: EnterCriticalSection.KERNEL32(0079070C,?,?,006D8747,00792514), ref: 006E0202
Part of subcall function 006E01F8: LeaveCriticalSection.KERNEL32(0079070C,?,006D8747,00792514), ref: 006E0235

Part of subcall function 0073359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007335E4
Part of subcall function 0073359C: LoadStringW.USER32(00792390,?,00000FFF,?), ref: 0073360A

Strings

x#y, xrefs: 0074633A
x#y, xrefs: 0074636F
x#y, xrefs: 00746353

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#y$x#y$x#y
API String ID: 1072379062-3801053113
Opcode ID: 548911416e1ad8c0f86ad4fcbd397d37b5546209efa0c7da98eb53c79a4ba491
Instruction ID: 71901107f96f058c3febf03b4c6c94f0b6577d0eb2038ce9760f1cd8d0560786
Opcode Fuzzy Hash: 548911416e1ad8c0f86ad4fcbd397d37b5546209efa0c7da98eb53c79a4ba491
Instruction Fuzzy Hash: 0EC17D71A00105AFCB14EF98C891EBEB7BAFF49310F10806EF9159B291DB78E955CB91

Function 006F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOl, xrefs: 006F5BA8, 006F5C6C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: JOl
API String ID: 0-2980687805
Opcode ID: 87eac9bb11ea8aa61e08ea32f55b86f68942ea7b071d87f48bf75d52d8e216ae
Instruction ID: 03567e79173d4ec30ee9c0a232c313334a7eaf24fa144c1b6391f9ba9db0eb7d
Opcode Fuzzy Hash: 87eac9bb11ea8aa61e08ea32f55b86f68942ea7b071d87f48bf75d52d8e216ae
Instruction Fuzzy Hash: 63519D71901B0D9FCB219FA9C845AFEBBBAAF05310F14005EF707AB291D7759E028B65

Function 006F8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 006F8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 006F8B7A
__dosmaperr.LIBCMT ref: 006F8B81

Strings

.n, xrefs: 006F8A63

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .n
API String ID: 2434981716-61608593
Opcode ID: ff834bb9819c518061e6c1b6d3f9c673697bbb21f7fda42a6420a226f9e0b8ed
Instruction ID: 7546bd799f7e803dae17bddec36411b2d1b5a3996ef030b4df599376a88a81a1
Opcode Fuzzy Hash: ff834bb9819c518061e6c1b6d3f9c673697bbb21f7fda42a6420a226f9e0b8ed
Instruction Fuzzy Hash: 13416E7160414DAFDB259F68DC81ABD7FA7EB85304B2881EAFA4587242DE35CD038794

Function 00722716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0072B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007221D0,?,?,00000034,00000800,?,00000034), ref: 0072B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00722760

Part of subcall function 0072B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0072B3F8

Part of subcall function 0072B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0072B355
Part of subcall function 0072B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00722194,00000034,?,?,00001004,00000000,00000000), ref: 0072B365
Part of subcall function 0072B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00722194,00000034,?,?,00001004,00000000,00000000), ref: 0072B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0072281A

Strings

@, xrefs: 00722832

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2e074d271e62d1930fc864958028ab5d1d76164b07f853c4c10a88eb24d9e34e
Instruction ID: ed83b236ea2e4d4fe5f5ddd3d85f9cf91e7da97470d07b1caab1205afc1f116e
Opcode Fuzzy Hash: 2e074d271e62d1930fc864958028ab5d1d76164b07f853c4c10a88eb24d9e34e
Instruction Fuzzy Hash: 18411D72900228BFDB10DBA4DD85BEEBBB8EF05700F108099FA55B7181DB74AE45CB61

Function 006F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 006F1769
_free.LIBCMT ref: 006F1834
_free.LIBCMT ref: 006F183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 006F1760, 006F1767, 006F1796, 006F17CE

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 168cbe3bcc42837a414470668a198f9fa507a12512fa7d255280b2e40f306ffa
Instruction ID: f34ea354ed281fb6048f7da1116a8f71fcf17110f70ba0a19c37d89c47dedbe5
Opcode Fuzzy Hash: 168cbe3bcc42837a414470668a198f9fa507a12512fa7d255280b2e40f306ffa
Instruction Fuzzy Hash: 4F319171A0020DEFCB21EB999981DAEBBBEEB86390F10416AE6149B311D6704A41CB94

Function 0072C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0072C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0072C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00791990,00D45820), ref: 0072C395

Strings

0, xrefs: 0072C2DF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 0f9481051a0e9c91915e0cc210225b04f592d62e524a74997a52e65b45484191
Instruction ID: 8c20a3d882bd67f708ebab4f979baeab29e05ebbd8a3c09d2da96122c9029bdc
Opcode Fuzzy Hash: 0f9481051a0e9c91915e0cc210225b04f592d62e524a74997a52e65b45484191
Instruction Fuzzy Hash: A341D0312043519FD721DF24E845B6EBBE4AFA5310F108A1DF8A5972D2D778E904CB67

Function 00754416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0075CC08,00000000,?,?,?,?), ref: 007544AA
GetWindowLongW.USER32 ref: 007544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007544D7

Strings

SysTreeView32, xrefs: 0075447C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c412d8357beb378a0deb10eff2c1fb414a385e07bb439ca19d737299945ba3ac
Instruction ID: 23bcbbed1bd7029e2daf3f7db5c0db605e6476e4916191f98bd11aa0ea51e474
Opcode Fuzzy Hash: c412d8357beb378a0deb10eff2c1fb414a385e07bb439ca19d737299945ba3ac
Instruction Fuzzy Hash: 5A318D71240245AFDF218F78DC45BEA77A9EB08329F204319FD75A21D0E7B8AC959750

Function 00726E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00726EED
VariantCopyInd.OLEAUT32(?,?), ref: 00726F08
VariantClear.OLEAUT32(?), ref: 00726F12

Strings

*jr, xrefs: 00726E8B, 00726E90, 00726EF8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jr
API String ID: 2173805711-3951200537
Opcode ID: 0f15f1edc2cea2290d809057c4ee906a349f9a7cb877ba9f26488af9cda1a24c
Instruction ID: 445cb3fcd2e385d138fb36d145634f684d53e0da1d1fa4ecd8718c3ca6e7f5e7
Opcode Fuzzy Hash: 0f15f1edc2cea2290d809057c4ee906a349f9a7cb877ba9f26488af9cda1a24c
Instruction Fuzzy Hash: 5B318F71604265DFCF05AFA4E951EBD37B6EF85700F10049EF9029B2A1CB389912DB94

Function 0074304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0074335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00743077,?,?), ref: 00743378

inet_addr.WSOCK32(?), ref: 0074307A
_wcslen.LIBCMT ref: 0074309B
htons.WSOCK32(00000000), ref: 00743106

Strings

255.255.255.255, xrefs: 00743095, 0074309A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: fb73166704fa63a08c47eaf86486b96d6b5eb8479bc37849aa8e890ac2feb27d
Instruction ID: baaf9d2b05672e3d16eddd672745393d740af9194c27f1ac5b983a3aeb64b595
Opcode Fuzzy Hash: fb73166704fa63a08c47eaf86486b96d6b5eb8479bc37849aa8e890ac2feb27d
Instruction Fuzzy Hash: 1231E435200205DFDB10CF68C485FAA77E1EF14318F248199E9199B3A2DB7AEF41C760

Function 00753EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00753F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00753F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00753F78

Strings

SysMonthCal32, xrefs: 00753F0B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 714f936887e2f47947eeb7c9fedfb8bc330b2a898eaa24d291e10f7fa7a5d23c
Instruction ID: 16271ca3092792e308a3679132b3374f5adfa6baf5ede86a7ab681e845c32b9f
Opcode Fuzzy Hash: 714f936887e2f47947eeb7c9fedfb8bc330b2a898eaa24d291e10f7fa7a5d23c
Instruction Fuzzy Hash: 2F21AD32600219BFDF118E50CC46FEA3B75EB48754F110218FE156B1D0D6B9A955CBA0

Function 00754653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00754705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00754713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0075471A

Strings

msctls_updown32, xrefs: 00754684

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 8f35c52254da230affdeeb615804c3f13302bf990b7d0d42ff1bebcb6c4835a3
Instruction ID: 6f5c48756326c55efd12f5660727733e245808d263d5e540778d687ee8566bb7
Opcode Fuzzy Hash: 8f35c52254da230affdeeb615804c3f13302bf990b7d0d42ff1bebcb6c4835a3
Instruction Fuzzy Hash: 1121A1B5600249AFDB11DF64DCC1DB737ADEF4A3A9B000449FA009B251CB75EC56CB64

Function 007295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0072961D

Strings

#requireadmin, xrefs: 007295D9
#OnAutoItStartRegister, xrefs: 007295F3
#notrayicon, xrefs: 007295B7

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 1806024dc8fa857ba42a3d4e9f889d009846cf6a4f16bfeef24812fcf106efa5
Instruction ID: 7de4280aecd4fb4619189745a3ce3544807f8a410732447a8a07a49a633c8377
Opcode Fuzzy Hash: 1806024dc8fa857ba42a3d4e9f889d009846cf6a4f16bfeef24812fcf106efa5
Instruction Fuzzy Hash: 6B2157722042306AD331BB26EC02FBB73D9DF91300F18402EFA4997181EB99AD55C2E9

Function 007537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00753840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00753850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00753876

Strings

Listbox, xrefs: 0075380F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f3f189b4a1b7c0383a20ca510afadb58e4809ad339ef2210edc70b2b1d4f4bd4
Instruction ID: 9a27aa9450a0031370147810b6a4eaf535b6161518013b93a87b48b7ccc08bd7
Opcode Fuzzy Hash: f3f189b4a1b7c0383a20ca510afadb58e4809ad339ef2210edc70b2b1d4f4bd4
Instruction Fuzzy Hash: B8219572610218BBEF119F54CC85FFB376EEF89791F108114F9159B1A0C6B9EC5687A0

Function 007349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00734A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00734A5C
SetErrorMode.KERNEL32(00000000,?,?,0075CC08), ref: 00734AD0

Strings

%lu, xrefs: 00734A6F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a9f980cd2d768a00f805c9527b6dcd91a5e23b919c17f2df1b29404deb923efd
Instruction ID: 3899f250dcf1390358826164a0c7ac88ea3e1e42d92ed6b6bb7a013f3df83a85
Opcode Fuzzy Hash: a9f980cd2d768a00f805c9527b6dcd91a5e23b919c17f2df1b29404deb923efd
Instruction Fuzzy Hash: D9317371A00209AFD710DF54C885EAA7BF9EF04304F148099F905DB352DB75EE45CB65

Function 007541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0075424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00754264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00754271

Strings

msctls_trackbar32, xrefs: 00754226

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: cc459d56ccb17a9493c877f4a274f1c3ffd45b5386a9541b20056c670ceed992
Instruction ID: 5b70eaf29fa2880065656e63bad4e5b479c1022b1c0525e72baa31b82708c502
Opcode Fuzzy Hash: cc459d56ccb17a9493c877f4a274f1c3ffd45b5386a9541b20056c670ceed992
Instruction Fuzzy Hash: CC11E331240248BEEF205F29CC06FEB3BACEF85B69F114118FA55E2090D2B5D8529B24

Function 00722F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

Part of subcall function 00722DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00722DC5
Part of subcall function 00722DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00722DD6
Part of subcall function 00722DA7: GetCurrentThreadId.KERNEL32 ref: 00722DDD
Part of subcall function 00722DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00722DE4

GetFocus.USER32 ref: 00722F78

Part of subcall function 00722DEE: GetParent.USER32(00000000), ref: 00722DF9

GetClassNameW.USER32(?,?,00000100), ref: 00722FC3
EnumChildWindows.USER32(?,0072303B), ref: 00722FEB

Strings

%s%d, xrefs: 00722FFF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: c39954d43aa2d23a7f934f7e7290e4d8580691e60abf9f13f55e085374cada6e
Instruction ID: 9785300e74ed2d6a5f08dbe15b78bd63f05c06be8538786e3760c4ea0681ee0d
Opcode Fuzzy Hash: c39954d43aa2d23a7f934f7e7290e4d8580691e60abf9f13f55e085374cada6e
Instruction Fuzzy Hash: FF110271300215ABDF51BF70DC89FED37AAEF84304F008079B9099B242DE789A0A8B30

Function 00755882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007558EE
DrawMenuBar.USER32(?), ref: 007558FD

Strings

0, xrefs: 0075588F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 004f01b2a5cb167fc23bdf91ef404e0804ceb1f20db655d006a1ebcbf8ad6319
Instruction ID: 78c7f034761be0276a6f537b25bc1001b925dd773599344e31fff31cbb762243
Opcode Fuzzy Hash: 004f01b2a5cb167fc23bdf91ef404e0804ceb1f20db655d006a1ebcbf8ad6319
Instruction Fuzzy Hash: DF01C431500208EFDB519F51DC44BEEBBB5FF45362F108099E849D6261DBB89A94DF20

Function 0072007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb361d432f0046fe8100703b17bd7569d018b639d6e533ee982cfd5fd660093
Instruction ID: 1716eac3117b84033a7c034b6b91a288b1ac8be59b224bf7000831a436a84222
Opcode Fuzzy Hash: 2cb361d432f0046fe8100703b17bd7569d018b639d6e533ee982cfd5fd660093
Instruction Fuzzy Hash: DFC17C75A0022AEFDB04CFA4D888EAEB7B5FF48314F108598E405EB252D735ED41CBA0

Function 0074342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00743459
CoUninitialize.OLE32 ref: 00743463
VariantInit.OLEAUT32(?), ref: 0074346E
VariantClear.OLEAUT32(?), ref: 0074371B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3c302efa077067bda536bd2ae577fbf03d47e8a69bae4e98fcadaee557ae98b4
Instruction ID: 566d201cd149a709f57b71dbfef555b9aa5e1ad306cb5d8a47df1fb494f6a892
Opcode Fuzzy Hash: 3c302efa077067bda536bd2ae577fbf03d47e8a69bae4e98fcadaee557ae98b4
Instruction Fuzzy Hash: 6AA117756043019FCB40DF28C585A2AB7E5EF88724F05885DF98A9B362DB34EE01CB96

Function 00720436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0075FC08,?), ref: 007205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0075FC08,?), ref: 00720608
CLSIDFromProgID.OLE32(?,?,00000000,0075CC40,000000FF,?,00000000,00000800,00000000,?,0075FC08,?), ref: 0072062D
_memcmp.LIBVCRUNTIME ref: 0072064E

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 3cf938f7a2ab731cdbadd6657c9d8a95b10815250e74a12ebf6846eedbe483f3
Instruction ID: 66e4c64a8b40699082db98a5baa599a6a1d72da2d9b0fa2a1b11eaeedebc115a
Opcode Fuzzy Hash: 3cf938f7a2ab731cdbadd6657c9d8a95b10815250e74a12ebf6846eedbe483f3
Instruction Fuzzy Hash: 11811E71A00219EFCB04DF94C984EEEB7B9FF89315F204558F506AB251DB75AE06CBA0

Function 0074A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0074A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0074A6BA

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0074A79C
CloseHandle.KERNEL32(00000000), ref: 0074A7AB

Part of subcall function 006DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00703303,?), ref: 006DCE8A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 3db7a44c44c1a604b2aa99d881393f1f07212d1dfe030a66b7f9569307f11873
Instruction ID: c28d0e386865edf420f65124e62f4b4d4b8ee49e1de87bb857486f34c5e47040
Opcode Fuzzy Hash: 3db7a44c44c1a604b2aa99d881393f1f07212d1dfe030a66b7f9569307f11873
Instruction Fuzzy Hash: 6D516E71508300AFD350EF24C886E6BBBE9FF89754F40892DF58A97251EB34D904CBA6

Function 00701391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007014C0

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1bf7b2472406faebf736fcb13bbef95a3a2cfb88d0cba2ce374532d87c363b84
Instruction ID: b033c6434db05d56596c55e794a44f04a186793a90d6025219ce0057755ff3b9
Opcode Fuzzy Hash: 1bf7b2472406faebf736fcb13bbef95a3a2cfb88d0cba2ce374532d87c363b84
Instruction Fuzzy Hash: 21416A31A00284EFDB216BF98C45ABE3AE6EF41330F544329F519D72E2E77C89419766

Function 00756278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007562E2
ScreenToClient.USER32(?,?), ref: 00756315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00756382

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e1c49367dbed97ba42b203cf37d3b0d306de0c2f490a080facd743fe4e4c1300
Instruction ID: 25c909d9fcf202dbb5892d43d1635b0383b2d473144475953e8b3299631fa9e7
Opcode Fuzzy Hash: e1c49367dbed97ba42b203cf37d3b0d306de0c2f490a080facd743fe4e4c1300
Instruction Fuzzy Hash: D4514A74A00249EFCF10DF68D880AEE7BB6FB45361F508169F9159B2A0D778EE85CB50

Function 00741AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00741AFD
WSAGetLastError.WSOCK32 ref: 00741B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00741B8A
WSAGetLastError.WSOCK32 ref: 00741B94

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d110e1ab95d9b52e6b17c783800ecdc8c00b924aa8a23e8314559440f19ec542
Instruction ID: 104949dab27f1a21c9f13e86a6f4c375f01447ecd4d930c654c8abc5fd3f7809
Opcode Fuzzy Hash: d110e1ab95d9b52e6b17c783800ecdc8c00b924aa8a23e8314559440f19ec542
Instruction Fuzzy Hash: E2418D74600200AFE720AF24C886F2977E6EB44718F94844CF91A9F7D2D776ED82CB94

Function 006FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c005dc4e2ecbc523875b8d6e1fa556689554f85349725a9fd33bf1aba417bb
Instruction ID: be73817c102ee8f8bb5c99775c502eaa03de36b149e6682d263a9bcd8d7577f9
Opcode Fuzzy Hash: c3c005dc4e2ecbc523875b8d6e1fa556689554f85349725a9fd33bf1aba417bb
Instruction Fuzzy Hash: 43412875A00708AFD724AF78CD41BBABBEAEF84710F10462EF641DB681D375A9018B90

Function 007356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00735783
GetLastError.KERNEL32(?,00000000), ref: 007357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007357FA

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3841b0da2da330b7b5739c131ab5be7cf682a3066698386b53c8987dcc80c0ad
Instruction ID: 2f25adedc86b88db4e24dfbcdf9b33af5b7c1f06e44cb0a0a36be2fce194c338
Opcode Fuzzy Hash: 3841b0da2da330b7b5739c131ab5be7cf682a3066698386b53c8987dcc80c0ad
Instruction Fuzzy Hash: BF41F639600610DFCB11EF15C545A6ABBE2EF89720F19848CE84AAB362CB34FD41DF95

Function 006FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,006E6D71,00000000,00000000,006E82D9,?,006E82D9,?,00000001,006E6D71,?,00000001,006E82D9,006E82D9), ref: 006FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006FD9AB
__freea.LIBCMT ref: 006FD9B4

Part of subcall function 006F3820: RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2d29603c589b0f50b6c3e20c63b894ae40cf8d6d299846f4466ec4f69c99cd22
Instruction ID: b7f47e359224b5a5835577d520b2b1978dad810acf5bd44abad5cfd8ff1270b9
Opcode Fuzzy Hash: 2d29603c589b0f50b6c3e20c63b894ae40cf8d6d299846f4466ec4f69c99cd22
Instruction Fuzzy Hash: 0931CD72A0020AABDB259FA5DC45EFE7BA7EB40310B054168FD04D6291EB79ED51CBA0

Function 007552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00755352
GetWindowLongW.USER32(?,000000F0), ref: 00755375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00755382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007553A8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0a0a9055a97fc254eb576573cfabb5fa229e02252734e0e8d1ee13eedce40039
Instruction ID: bb25a2c0c5811fa2aaa7822aeabe8785baed3280f7b9b475796f9e0c751f8c50
Opcode Fuzzy Hash: 0a0a9055a97fc254eb576573cfabb5fa229e02252734e0e8d1ee13eedce40039
Instruction Fuzzy Hash: 4F31E430A55A08EFEB319F14CC25BE83761EB0439AF584012FE19962E0C7FD9D88DB41

Function 0072AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0072ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0072AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0072AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0072ACC6

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ab762d87c24a56c05aabe3a5416d6f56fb8608c7464cfef296e828738addb462
Instruction ID: 257a3988fb69d446652c116c6136bcb5354ca827c8983e8e590d9d8654355f6a
Opcode Fuzzy Hash: ab762d87c24a56c05aabe3a5416d6f56fb8608c7464cfef296e828738addb462
Instruction Fuzzy Hash: 4731F630A04728BFFF258B65EC087FA7BAAAB85310F04421AE485521D1D37D8AC58772

Function 00757674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0075769A
GetWindowRect.USER32(?,?), ref: 00757710
PtInRect.USER32(?,?,00758B89), ref: 00757720
MessageBeep.USER32(00000000), ref: 0075778C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c7487f8be51e5af6f852e74e6be3e0caa227e71655157a37f876f37d47626ff0
Instruction ID: 4d67a139704e9c7a10e22a6014c830ac5dd4db07e0fca47df7649eb1a6d29dc7
Opcode Fuzzy Hash: c7487f8be51e5af6f852e74e6be3e0caa227e71655157a37f876f37d47626ff0
Instruction Fuzzy Hash: 8A41BD34609255DFDB06CF58E884FE877F0FB48312F5584A9E8148B260C3B8A94ACF90

Function 007516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007516EB

Part of subcall function 00723A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00723A57
Part of subcall function 00723A3D: GetCurrentThreadId.KERNEL32 ref: 00723A5E
Part of subcall function 00723A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007225B3), ref: 00723A65

GetCaretPos.USER32(?), ref: 007516FF
ClientToScreen.USER32(00000000,?), ref: 0075174C
GetForegroundWindow.USER32 ref: 00751752

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 431ef4194fcf05bd0fe80f019c64db3fd5b552858889b3e53183f8bb8ed7509e
Instruction ID: e47cd36aeb5a98d2fa77a450fec171fa9e6627dd4b7ee4cc1f583bceae67b17b
Opcode Fuzzy Hash: 431ef4194fcf05bd0fe80f019c64db3fd5b552858889b3e53183f8bb8ed7509e
Instruction Fuzzy Hash: 0D314171D00249AFC700EFA9C885DEEBBF9EF88304B5084AEE415E7211D7759E45CBA4

Function 00758FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

GetCursorPos.USER32(?), ref: 00759001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00717711,?,?,?,?,?), ref: 00759016
GetCursorPos.USER32(?), ref: 0075905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00717711,?,?,?), ref: 00759094

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d4290a105827798d712d8769a756f1ecad4024ad9b2b44071684e842285403fb
Instruction ID: fbb100d512e61b1397716fbfeeccac42c54536e0b49eae84aaec9bb0dd4aa292
Opcode Fuzzy Hash: d4290a105827798d712d8769a756f1ecad4024ad9b2b44071684e842285403fb
Instruction Fuzzy Hash: 8421D331600118EFDB168F94CC58FFB7BB9EF49362F144459FA09472A1D3B9A960DB60

Function 0072D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0075CB68), ref: 0072D2FB
GetLastError.KERNEL32 ref: 0072D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0072D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0075CB68), ref: 0072D376

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2af46633293596da2bcbdf1f079a3f92fb6d26ecd39827894548ad856e88a0db
Instruction ID: d2407774fac277d49d0975bd2a9ac1c26b74cd0ba2c3beab22cf708b6d4f3e20
Opcode Fuzzy Hash: 2af46633293596da2bcbdf1f079a3f92fb6d26ecd39827894548ad856e88a0db
Instruction Fuzzy Hash: 3C219F70509311DF8320DF28D8859AA77E4FE56324F104A1DF499C32A2EB35DE49CB97

Function 00721571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00721014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0072102A
Part of subcall function 00721014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00721036
Part of subcall function 00721014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00721045
Part of subcall function 00721014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0072104C
Part of subcall function 00721014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00721062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007215BE
_memcmp.LIBVCRUNTIME ref: 007215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00721617
HeapFree.KERNEL32(00000000), ref: 0072161E

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4f1ffee5ac3a61413491325979b5f80ee641217668bfd1deb4ada6b8e0a978c1
Instruction ID: e18a5e8756961f807c27c131e7c0916a95fb6c5514b2be3a05cc00faaf476a83
Opcode Fuzzy Hash: 4f1ffee5ac3a61413491325979b5f80ee641217668bfd1deb4ada6b8e0a978c1
Instruction Fuzzy Hash: 7C21AC71E00218EFDF00DFA4D945BEEB7B8FF50345F498499E401AB241EB78AA04CBA0

Function 00752782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0075280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00752824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00752832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00752840

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 3155b9c515884d67369f6917bf17ac24b0a17f1fc01d98f027c2224e0594c10e
Instruction ID: 699ba0a46b11e80159aadb5df2f470f4c0f555c2f05f1c5abbed9d6fc13597f7
Opcode Fuzzy Hash: 3155b9c515884d67369f6917bf17ac24b0a17f1fc01d98f027c2224e0594c10e
Instruction Fuzzy Hash: FD21B031204211AFD715DB24C845FEA7B95EF86325F24815CF8268B6A3DBB9FC86C790

Function 007278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00728D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0072790A,?,000000FF,?,00728754,00000000,?,0000001C,?,?), ref: 00728D8C
Part of subcall function 00728D7D: lstrcpyW.KERNEL32(00000000,?,?,0072790A,?,000000FF,?,00728754,00000000,?,0000001C,?,?,00000000), ref: 00728DB2
Part of subcall function 00728D7D: lstrcmpiW.KERNEL32(00000000,?,0072790A,?,000000FF,?,00728754,00000000,?,0000001C,?,?), ref: 00728DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00728754,00000000,?,0000001C,?,?,00000000), ref: 00727923
lstrcpyW.KERNEL32(00000000,?,?,00728754,00000000,?,0000001C,?,?,00000000), ref: 00727949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00728754,00000000,?,0000001C,?,?,00000000), ref: 00727984

Strings

cdecl, xrefs: 0072797B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9dd334dc936513d8990029c077598e6ffb54f39fc2858c08222b026a0b9caadf
Instruction ID: 4f80c89c2fb1516efcc3943d6c57ac0036bbd71d0e410b26883d0832cd5cc28e
Opcode Fuzzy Hash: 9dd334dc936513d8990029c077598e6ffb54f39fc2858c08222b026a0b9caadf
Instruction Fuzzy Hash: 1B11293A200311AFCB155F34E844E7A77A9FF45350B00802AF986CB3A4EF75A841C755

Function 00757CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00757D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00757D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00757D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0073B7AD,00000000), ref: 00757D6B

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4a8b1ea6834a35e33bac8577c55fe6d898cfd6573ce95d7535ceb1128c728459
Instruction ID: 055b932b2ddcdda66cb54035ee40036216e9f4799747c64d4cab029b20784c60
Opcode Fuzzy Hash: 4a8b1ea6834a35e33bac8577c55fe6d898cfd6573ce95d7535ceb1128c728459
Instruction Fuzzy Hash: FD11DE31604715AFCB158F28EC04AA63BA5EF45362B118328FC35CB2E0E7B89925CB50

Function 00755660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007556BB
_wcslen.LIBCMT ref: 007556CD
_wcslen.LIBCMT ref: 007556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00755816

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7769e5548a255f701a5f55781aaa3ab56f94837e3089afa030e09af034db98a4
Instruction ID: c06dd93abb6c19fe87dbc608e8b77d31732916f4d6e3c47f50a58fd2bc5d3ad0
Opcode Fuzzy Hash: 7769e5548a255f701a5f55781aaa3ab56f94837e3089afa030e09af034db98a4
Instruction Fuzzy Hash: 32110671A0074496DF209F61CC95EEE377CEF00762B10406AFD05D6081EBF8DA88CBA4

Function 006F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b5f437a661e0d2127686222a7e738bb422d4a7759b47d8f8ffc938458cbc2c
Instruction ID: 6579ba0ebdffcf09fa43c80469346daf74147fa424ce1fc7b029ece6f9ff528a
Opcode Fuzzy Hash: 36b5f437a661e0d2127686222a7e738bb422d4a7759b47d8f8ffc938458cbc2c
Instruction Fuzzy Hash: 6D01A2B2209A1EBEF75116786CC0FB7662FDF427F8B34132AF721A52D2DB608C005164

Function 00721A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00721A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00721A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00721A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00721A8A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e2475143b9c82e3d327b903382e419c3ec424196ea403ef94e1090663785be1f
Instruction ID: 5b9afc2c0851666b0143dc3dedfba30d350056af2ed3ca410ca0e0a51f8896c7
Opcode Fuzzy Hash: e2475143b9c82e3d327b903382e419c3ec424196ea403ef94e1090663785be1f
Instruction Fuzzy Hash: EB11273A901229FFEB119BA4CD85FADBB78FB18750F2040A1EA00B7290D6716F50DB94

Function 0072E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0072E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0072E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0072E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0072E24D

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 038f9972130ee841c536e4f4c0cac00650555e8ccd26f9fd7e5e257985d533ce
Instruction ID: b86cdddef0735ad9a827320b35eb63e90561be147662d67f2dbec2fb6ce314f3
Opcode Fuzzy Hash: 038f9972130ee841c536e4f4c0cac00650555e8ccd26f9fd7e5e257985d533ce
Instruction Fuzzy Hash: CB110872904369FFD7019BA8AC05ADE7FACEB45311F10821AF925E3290D2B8890087A5

Function 006ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,006ECFF9,00000000,00000004,00000000), ref: 006ED218
GetLastError.KERNEL32 ref: 006ED224
__dosmaperr.LIBCMT ref: 006ED22B
ResumeThread.KERNEL32(00000000), ref: 006ED249

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d73321a42785f9f65f3673cea90d70163e279b5b00a7ab5ffb9ad8b5236d2a25
Instruction ID: 4d1befb8884a2025b21c3061daf8713346d13dd69677dbd69bfeaddd68ebacff
Opcode Fuzzy Hash: d73321a42785f9f65f3673cea90d70163e279b5b00a7ab5ffb9ad8b5236d2a25
Instruction Fuzzy Hash: A201D636806388BFC7115BA7DC09BEE7A6BDF81731F204219FB25921D0DF718A01C6A5

Function 00759EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

GetClientRect.USER32(?,?), ref: 00759F31
GetCursorPos.USER32(?), ref: 00759F3B
ScreenToClient.USER32(?,?), ref: 00759F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00759F7A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1a254941fb0fe5a2807bcd723431760c7a2f2c8131357421bb251ad9123ef995
Instruction ID: e0ddc0dd6ddac53d28d77f94df77bef6d563e274670b1f2267a8e1f8851cda33
Opcode Fuzzy Hash: 1a254941fb0fe5a2807bcd723431760c7a2f2c8131357421bb251ad9123ef995
Instruction Fuzzy Hash: 3611483290021AEFDB01DFA8D889DEE77B9FB05312F504455FA01E3180D3B8BA95CBA5

Function 006C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006C604C
GetStockObject.GDI32(00000011), ref: 006C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006C606A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9c58937d0a02117368b7a0acfbb3bb34620628f0b19dc5ea50a22e456ba1afa2
Instruction ID: 41582f8c9d18c5e39f31b712c78861dcb3c635d6bcc2c6dec14f5916d23de356
Opcode Fuzzy Hash: 9c58937d0a02117368b7a0acfbb3bb34620628f0b19dc5ea50a22e456ba1afa2
Instruction Fuzzy Hash: 1811A172201608BFEF124F94CD44FFA7B6AEF0C365F004216FA0462110C7769C60DB94

Function 006E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 006E3B56

Part of subcall function 006E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006E3AD2
Part of subcall function 006E3AA3: ___AdjustPointer.LIBCMT ref: 006E3AED

_UnwindNestedFrames.LIBCMT ref: 006E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 006E3BA4

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4b9b7e26d345d6dca73f34bdf7add103ed6db464adacda4b9dfa2e4a4bde5df1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 55014032101289BBDF125E96CC4AEEB3F6EEF58754F044018FE4856221C732D961DBA4

Function 006F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006C13C6,00000000,00000000,?,006F301A,006C13C6,00000000,00000000,00000000,?,006F328B,00000006,FlsSetValue), ref: 006F30A5
GetLastError.KERNEL32(?,006F301A,006C13C6,00000000,00000000,00000000,?,006F328B,00000006,FlsSetValue,00762290,FlsSetValue,00000000,00000364,?,006F2E46), ref: 006F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006F301A,006C13C6,00000000,00000000,00000000,?,006F328B,00000006,FlsSetValue,00762290,FlsSetValue,00000000), ref: 006F30BF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 46ff374f35ee86117cbb1181eb47972882c18df13a920a5073a5499f6b1b10ac
Instruction ID: 92e2216a01f920c0ea24990b12dff7a2ebf3404d1616921323860c46a0247006
Opcode Fuzzy Hash: 46ff374f35ee86117cbb1181eb47972882c18df13a920a5073a5499f6b1b10ac
Instruction Fuzzy Hash: 8F01F73230133AAFCB314B799C44EB77B9AAF05BA1B104621FA06E3340CF25D942C6E4

Function 00727464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0072747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00727497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007274CA

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: d613bfb9594a8caa6fbc992ba98cc4639717055f46612d4536cc3a9b20df4803
Instruction ID: 9d2ef0e16c4b39720c8e27d48fef3644f8318de77ec94c4bfc59f0dc81e92129
Opcode Fuzzy Hash: d613bfb9594a8caa6fbc992ba98cc4639717055f46612d4536cc3a9b20df4803
Instruction Fuzzy Hash: C611D6B12053A49FE720DF14EE08F927FFCEB00B10F108569A616D7151D7B8E904DB51

Function 0072B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0072ACD3,?,00008000), ref: 0072B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0072ACD3,?,00008000), ref: 0072B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0072ACD3,?,00008000), ref: 0072B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0072ACD3,?,00008000), ref: 0072B126

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 9a1fa289483bc9a0eb8c149e965f6a4e4ae524c7496bb140e3a9dc13e1a56489
Instruction ID: 1e9e12c350d0cda16bc01261370d46a6a040603566427bfbcde270d4bcf81434
Opcode Fuzzy Hash: 9a1fa289483bc9a0eb8c149e965f6a4e4ae524c7496bb140e3a9dc13e1a56489
Instruction Fuzzy Hash: C3116171C01A3DDBCF11AFE4E9697EEBB78FF09711F118085D941B2141CB7859508B55

Function 00757E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00757E33
ScreenToClient.USER32(?,?), ref: 00757E4B
ScreenToClient.USER32(?,?), ref: 00757E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00757E8A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ec413c4e0d97ac32632ec452c911de66f15117328550c9d1e86c4390d9e19d65
Instruction ID: ffe4c077e1f785fdc169fb0ee345e356f92af0c46d4275a9898e122904860824
Opcode Fuzzy Hash: ec413c4e0d97ac32632ec452c911de66f15117328550c9d1e86c4390d9e19d65
Instruction Fuzzy Hash: B51142B9D0024AAFDB41CF98D884AEEBBF9FF08311F509066E915E3210D775AA54CF94

Function 00722DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00722DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00722DD6
GetCurrentThreadId.KERNEL32 ref: 00722DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00722DE4

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 24a3c44b84a6d9fe003167b3b8da775aecb2679a06e69c390d3d773ac7ffd3ec
Instruction ID: 8cb54194bc0ca13d0addcb15195b0aaf560fd574cfef210ca7c739b74f4882c8
Opcode Fuzzy Hash: 24a3c44b84a6d9fe003167b3b8da775aecb2679a06e69c390d3d773ac7ffd3ec
Instruction Fuzzy Hash: 08E06D722013347BD7211B72AC0EFEB3E6CEB42BA2F004015B105D10819AE8C941C6B0

Function 00758863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006D9693
Part of subcall function 006D9639: SelectObject.GDI32(?,00000000), ref: 006D96A2
Part of subcall function 006D9639: BeginPath.GDI32(?), ref: 006D96B9
Part of subcall function 006D9639: SelectObject.GDI32(?,00000000), ref: 006D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00758887
LineTo.GDI32(?,?,?), ref: 00758894
EndPath.GDI32(?), ref: 007588A4
StrokePath.GDI32(?), ref: 007588B2

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c6e6f3b9241cda718106adb2f6b04e5b14c4719df952591c573e3d23fa8cb28a
Instruction ID: fa70f9c1d10ac7ca075d5bbe4f2c216d9922bac3d223c0c3afd8e6733782cb17
Opcode Fuzzy Hash: c6e6f3b9241cda718106adb2f6b04e5b14c4719df952591c573e3d23fa8cb28a
Instruction Fuzzy Hash: 2CF03A36041759BBEB136F94AC09FCA3B59AF06322F44C005FA11651E1C7B96521CBA9

Function 006D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006D98CC
SetTextColor.GDI32(?,?), ref: 006D98D6
SetBkMode.GDI32(?,00000001), ref: 006D98E9
GetStockObject.GDI32(00000005), ref: 006D98F1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 29af5bbaeb0e47400587e1de3a5be5b07b72677e42e0ef1f7b0c2cee6ccc4d34
Instruction ID: fe984a86648bca985b34360c8629e099fa92d5e88aa65355c962e60f5477263b
Opcode Fuzzy Hash: 29af5bbaeb0e47400587e1de3a5be5b07b72677e42e0ef1f7b0c2cee6ccc4d34
Instruction Fuzzy Hash: FCE06531244784AEDB225B79AC09BD83F21AB11336F14C219F6F9580E1C7B54650DB10

Function 0072162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00721634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007211D9), ref: 0072163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007211D9), ref: 00721648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007211D9), ref: 0072164F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4c6fe22809b6bb6c4f8b0888f6a6e8ea90e2022194d1e2aa1ad407e396b94471
Instruction ID: a2f99d36ea4f5b3e1d16ad3d30a09f17dcb20fed4ba1f8e94706d28a8d5c4874
Opcode Fuzzy Hash: 4c6fe22809b6bb6c4f8b0888f6a6e8ea90e2022194d1e2aa1ad407e396b94471
Instruction Fuzzy Hash: D8E04F71602321AFD7201BA0AE0DB8A3B68BF54B92F148808F249C9080DAAC4440C758

Function 0071D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0071D858
GetDC.USER32(00000000), ref: 0071D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0071D882
ReleaseDC.USER32(?), ref: 0071D8A3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ac1fae12627f6447bee0df38d9ccf06e9d7fffa112131ab6ed43c4196e31fd1c
Instruction ID: 6d8fdc6703072f9dee6164b11e83c20365548ef5d0607f68a5c5f9bda5d74c60
Opcode Fuzzy Hash: ac1fae12627f6447bee0df38d9ccf06e9d7fffa112131ab6ed43c4196e31fd1c
Instruction Fuzzy Hash: E6E0ED70800304DFCB429FA098087ADBBB2EB48311B108009E80AE7250C7784A419F44

Function 0071D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0071D86C
GetDC.USER32(00000000), ref: 0071D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0071D882
ReleaseDC.USER32(?), ref: 0071D8A3

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 302b1694118ab9b7605221461a9a2c924083e17f36695d2e0bde9952fa12368a
Instruction ID: 7f2d529f669a7581ec34cee8ca9c354bc60616f73b26fc3977d34d5894486437
Opcode Fuzzy Hash: 302b1694118ab9b7605221461a9a2c924083e17f36695d2e0bde9952fa12368a
Instruction Fuzzy Hash: F3E09A75C00304DFCF52AFA0D8087ADBBB6FB48712B148449E95AE7250C77C5A02DF54

Function 00734D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006C7620: _wcslen.LIBCMT ref: 006C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00734ED4

Strings

LPT, xrefs: 00734DFB
*, xrefs: 00734E10

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 410788db9c78779d5700705a7fdb5650520ba8f9abd8d6fed1a760d7f7a86702
Instruction ID: fdbc0f631d8b0aee1161e2e028ba4b7107f3172f5e5b81e93b451479d2d6ea8b
Opcode Fuzzy Hash: 410788db9c78779d5700705a7fdb5650520ba8f9abd8d6fed1a760d7f7a86702
Instruction Fuzzy Hash: DD914D75A002059FDB18DF58C484EAABBF1EF44304F18809DE80A9F362D739EE85CB91

Function 006EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006EE30D

Strings

pow, xrefs: 006EE2E5, 006EE302

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 59df9ca26398746b1a37dccdfee0da4c8f88de67fa13381a6679cf4147b30d1f
Instruction ID: 19a16392aa8f0a236042bb5338619533b9dfb7c4abf44475afb5ebcc634c7042
Opcode Fuzzy Hash: 59df9ca26398746b1a37dccdfee0da4c8f88de67fa13381a6679cf4147b30d1f
Instruction Fuzzy Hash: D851BE61A0D74A96CB117B15CD013F93BA7EF00740F708959E2D2833E9EB368C969A4A

Function 00747771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0071569E,00000000,?,0075CC08,?,00000000,00000000), ref: 007478DD

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

CharUpperBuffW.USER32(0071569E,00000000,?,0075CC08,00000000,?,00000000,00000000), ref: 0074783B

Strings

<sx, xrefs: 007477C8

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sx
API String ID: 3544283678-2298222301
Opcode ID: 5c96514d69d2af7d1376bdf12e4be2bd4d36d1b8e036927aaf6c86ca8fc32c21
Instruction ID: 8cd0ae2142a5dc7ff1aa3a3f9c01334c2b6398d70e2021cc0b0fe987cf092d94
Opcode Fuzzy Hash: 5c96514d69d2af7d1376bdf12e4be2bd4d36d1b8e036927aaf6c86ca8fc32c21
Instruction Fuzzy Hash: 2D612A72914128AACF49EBE4CC91EFDB379FF14304B44452DF542A7191EF38AA05DBA4

Function 006DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 006DE1B1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6fedce58d67edd7eb24cc8becfc9387d1c25498373d8cf806a4b640f9e903609
Instruction ID: cc14f2fe7fb7fa8d361a0ae76ea2bc9d0cf2e7d2dfd59caa11a3d6e57d1167ed
Opcode Fuzzy Hash: 6fedce58d67edd7eb24cc8becfc9387d1c25498373d8cf806a4b640f9e903609
Instruction Fuzzy Hash: 79512635900346DFEB15EF68C481AFA7BA6EF55310F64805AEC519F3D0D6399E82CBA0

Function 006DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 006DF2BB

Strings

@, xrefs: 006DF2AF

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: aabc3d5a3a77015b6a78ad3339537d184b14e5adfbda28eef4a208ac7250ecd7
Instruction ID: e5ad22fc36f2d2cae8db367f9174c45d1b94e37d39a61970854efc2e9147d122
Opcode Fuzzy Hash: aabc3d5a3a77015b6a78ad3339537d184b14e5adfbda28eef4a208ac7250ecd7
Instruction Fuzzy Hash: 655164714087449BD360AF10D886BABBBF9FF84310F81884CF199411A5EB309969CB6A

Function 00745745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007457E0
_wcslen.LIBCMT ref: 007457EC

Strings

CALLARGARRAY, xrefs: 007457E6, 007457EB

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 00d64e5fcbc12a6bd955fb37c7ea1cf0a110f8c18a62b99e5bcb6a241ada8ff1
Instruction ID: 29779bf4be36ceb799c645eb35bbadb4084325a4d99a3365265e3106acfb4bb7
Opcode Fuzzy Hash: 00d64e5fcbc12a6bd955fb37c7ea1cf0a110f8c18a62b99e5bcb6a241ada8ff1
Instruction Fuzzy Hash: FE418231E00209DFCB14DFA9C8859BEBBF9EF59314F10406DE505A7252DB789D81CBA0

Function 0073D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0073D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0073D13A

Strings

|, xrefs: 0073D10B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ef87a9bd55a946d60b50d01e7bbfef7f88092cf12da78682d3ef93b062565bad
Instruction ID: 40bf6ac3b4b1d738d8698a2a17d72073225c39eeff35e5f43d488f56d94e9f26
Opcode Fuzzy Hash: ef87a9bd55a946d60b50d01e7bbfef7f88092cf12da78682d3ef93b062565bad
Instruction Fuzzy Hash: 3E311871D01209ABDF55EFA4DC85EEE7BBAFF08304F00001DF815A6162D735A916CB54

Function 0075356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00753621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0075365C

Strings

static, xrefs: 007535BC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 92f6398ac0e4c4d6c7ea0b9e767e18f940ca97f8ac632d0bd56910980bb808be
Instruction ID: 5f36c40e41881d0d16ed854b563284ea59a7eb670b340baf793ad089ca182c1b
Opcode Fuzzy Hash: 92f6398ac0e4c4d6c7ea0b9e767e18f940ca97f8ac632d0bd56910980bb808be
Instruction Fuzzy Hash: 5D31AC71100204AEDB109F38CC80FFB73A9FF88761F00961DF8A597290DAB9AD96C764

Function 00754537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0075461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00754634

Strings

', xrefs: 0075458E

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b16f20442d3791c6b3a3cf3bb66f27a80bf764b0a2e236a56850c1894e15d96f
Instruction ID: 78ea3b99b7edf6f51a6108946f5fc151002a3624944b5a6a7bb56836049f5599
Opcode Fuzzy Hash: b16f20442d3791c6b3a3cf3bb66f27a80bf764b0a2e236a56850c1894e15d96f
Instruction Fuzzy Hash: 87312774A0130AAFDB14CFA9C990BDA7BB5FF09315F10406AED04AB341E7B4A995CF90

Function 007531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0075327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00753287

Strings

Combobox, xrefs: 00753249

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 34533a930d2d64ebf2bd4bd7931be4ee1b88ed3c545e4616cfda78e255b44101
Instruction ID: 8cd3db667ec9314d500b7a12ce6876b1514687916abef74c43070abbf55272e6
Opcode Fuzzy Hash: 34533a930d2d64ebf2bd4bd7931be4ee1b88ed3c545e4616cfda78e255b44101
Instruction Fuzzy Hash: 5111E271300608BFFF219E54DC80EFB376AFB943A5F104128F918E72A0D6B99D558760

Function 00753710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006C604C
Part of subcall function 006C600E: GetStockObject.GDI32(00000011), ref: 006C6060
Part of subcall function 006C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006C606A

GetWindowRect.USER32(00000000,?), ref: 0075377A
GetSysColor.USER32(00000012), ref: 00753794

Strings

static, xrefs: 00753757

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e643c008afb6669a7cc170e812230b9b961298364c145a4179c143866492f3bc
Instruction ID: 352528898c851e14fc6e8ead82376f1a55335dcfce04b0c4aef4c717b3198803
Opcode Fuzzy Hash: e643c008afb6669a7cc170e812230b9b961298364c145a4179c143866492f3bc
Instruction Fuzzy Hash: 5E1159B2A10209AFDB01DFA8CC45EEA7BB8EB08355F004918FD55E2250E779E8659B50

Function 0073CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0073CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0073CDA6

Strings

<local>, xrefs: 0073CD66

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fa537c7e85cbb05a3581299522f3d84445b5904d74ba97e8d050fef9c6e24ea3
Instruction ID: f26c2e95f950e0a66206caa49a8d4db0a607bee7b85557992bfe426133507293
Opcode Fuzzy Hash: fa537c7e85cbb05a3581299522f3d84445b5904d74ba97e8d050fef9c6e24ea3
Instruction Fuzzy Hash: D811C6753256317AE7364B668C45FE7BE6CEF127A4F004226B109A3181D7789840D7F0

Function 00753429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007534BA

Strings

edit, xrefs: 0075348F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 31c299646375ebf605049c666f22f2d600c2cc8bb05519b040644b0548b3472e
Instruction ID: 06509e18b3b857bb53ad44c80907f3462269f6dbfac414d1b29fc0fe6feb4f5f
Opcode Fuzzy Hash: 31c299646375ebf605049c666f22f2d600c2cc8bb05519b040644b0548b3472e
Instruction Fuzzy Hash: 9511BF71100248AFEB128E64DC44AFB376AEB043B5F508724FD61931E0C7B9DC999754

Function 00726C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00726CB6
_wcslen.LIBCMT ref: 00726CC2

Strings

STOP, xrefs: 00726CBC, 00726CC1

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 8bb9c13fe17d8754bbb97b7ea4f86461b2264681ecf0aba20935afb88eba4782
Instruction ID: 3c36c5d8855ab196bdd779ee746ccc6411a2bb6c340c9e1775df4dd709077056
Opcode Fuzzy Hash: 8bb9c13fe17d8754bbb97b7ea4f86461b2264681ecf0aba20935afb88eba4782
Instruction Fuzzy Hash: A7012632B0053A8BCB20BFFDEC809BF37B5EB60710700053AE86293190EB39E940C660

Function 00721CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00721D4C

Strings

ComboBox, xrefs: 00721CEB
ListBox, xrefs: 00721D16

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 81a049f2a653c82799459387d28c46a4411ed50b069c3596f47f5c99c70a5db4
Instruction ID: 9a7f49ec6a94766d36fba2b045fbaae67dc2d14af7b47e928df80902441f77b9
Opcode Fuzzy Hash: 81a049f2a653c82799459387d28c46a4411ed50b069c3596f47f5c99c70a5db4
Instruction Fuzzy Hash: C701D875741224EBCB08EFA4EC55EFE7769FB66350B44091EF832572C1EA3859088774

Function 00721BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00721C46

Strings

ComboBox, xrefs: 00721BE5
ListBox, xrefs: 00721C10

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8ef138519b96832fa31d9f0259ae3d5da763a33f54b7d9489dec92a7c13db834
Instruction ID: 20742e5f49191b7e7d11e71631e5bab74a642b4a6d9de561596b2c3faa7749fb
Opcode Fuzzy Hash: 8ef138519b96832fa31d9f0259ae3d5da763a33f54b7d9489dec92a7c13db834
Instruction Fuzzy Hash: AE01F7B56811186ACB08FB90D965EFF77A8EB21340F50041DA416732C1EA289F4887B5

Function 00721C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00721CC8

Strings

ComboBox, xrefs: 00721C69
ListBox, xrefs: 00721C94

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 565605d9b908227727cb30ec866c803570b28e6194a293f5122c831c032e4ba8
Instruction ID: d6f0c353bd952d3cd72d6768d6719b35a249d1e9cacdcfc63f172a4940421174
Opcode Fuzzy Hash: 565605d9b908227727cb30ec866c803570b28e6194a293f5122c831c032e4ba8
Instruction Fuzzy Hash: 2501D6B568122867CB04FBA0DA15FFE77A8EB21340F54042DB81273281EA689F58C7B5

Function 006DA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006DA529

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Strings

3yq, xrefs: 006DA545, 006DA54D, 006DA552
,%y, xrefs: 006DA509

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%y$3yq
API String ID: 2551934079-3864033816
Opcode ID: 8ebc4179513fb60824b0467d0cade4611669ea5d1cc926b7d010e65802513d36
Instruction ID: 663b1584f05954fb3a91dea97da54ba98f5cef3ad2972fb375d25d4929dda750
Opcode Fuzzy Hash: 8ebc4179513fb60824b0467d0cade4611669ea5d1cc926b7d010e65802513d36
Instruction Fuzzy Hash: 6301F232A05610ABDA04F7A9E81BBAD33A6DB05710F50006EF5125B3C3EE549D428AAF

Function 00721D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00721DD3

Strings

ComboBox, xrefs: 00721D75
ListBox, xrefs: 00721DA0

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e48ab5884da966b7493c96d6c8c47ba05e9f4378e56f5b29d349c5c06c989f90
Instruction ID: 8a6db663475f2043816d62e296b74b5bd41e47548f9e68280b43af29c4af4a09
Opcode Fuzzy Hash: e48ab5884da966b7493c96d6c8c47ba05e9f4378e56f5b29d349c5c06c989f90
Instruction Fuzzy Hash: 83F0A4B1B41228A6DB18FBA4DC56FFE7778FB11350F440D1DB832632C1DA685A088274

Function 00758172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00793018,0079305C), ref: 007581BF
CloseHandle.KERNEL32 ref: 007581D1

Strings

\0y, xrefs: 0075818A

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0y
API String ID: 3712363035-1819865517
Opcode ID: ce9f071819d1fbcd38ca12864f41893378abe223a25779503244005737f8eda6
Instruction ID: 6b66c2d7ab2673d62d233b7193c0a21f9ae636a8dd7d316d61ac55361158fdbc
Opcode Fuzzy Hash: ce9f071819d1fbcd38ca12864f41893378abe223a25779503244005737f8eda6
Instruction Fuzzy Hash: 83F089B1641304BFF75067696C46FB73A5EDB04751F008426BB08D51A1E6BE8E0187FD

Function 0074747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00747493
_wcslen.LIBCMT ref: 007474B9

Strings

3, 3, 16, 1, xrefs: 00747483

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a81283a1061d6cb602eca919fd0839422fbbaa1db5b48da545d663808d961de0
Instruction ID: 88ec1e1d92237eaebb33b4af3471da675d22322df564d891499f9aa949f2117b
Opcode Fuzzy Hash: a81283a1061d6cb602eca919fd0839422fbbaa1db5b48da545d663808d961de0
Instruction Fuzzy Hash: E4E02B422153E0109279227E9CC197F578ACFC9750710182FF981D2267EF98CD91D3F5

Function 00720B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00720B23

Strings

AutoIt, xrefs: 00720B17
Error allocating memory., xrefs: 00720B1C

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 8e626e0e7f99f4a10fa810177f696fd80c4c62ceb3d4d0decc9a451e37cfad65
Instruction ID: 3fd7d83084053343d1aea1bff8dad8f5285737fdda47859655fc190205e4e319
Opcode Fuzzy Hash: 8e626e0e7f99f4a10fa810177f696fd80c4c62ceb3d4d0decc9a451e37cfad65
Instruction Fuzzy Hash: D7E092712843182AD25137957C07FC97A85CF09B51F10042EFB48555C38AD6285046ED

Function 006E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006E0D71,?,?,?,006C100A), ref: 006DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,006C100A), ref: 006E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006C100A), ref: 006E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006E0D7F

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 007c395a7c73dded9d332b0350642c3569ab3da74e910a5424f26c47a60bdac2
Instruction ID: a3f2641a5f678537a645a0a32768c79c2d97d7be0fc33f91f182a0354e8dd4ee
Opcode Fuzzy Hash: 007c395a7c73dded9d332b0350642c3569ab3da74e910a5424f26c47a60bdac2
Instruction Fuzzy Hash: A6E06D702003818FE3619FB9E8047967BE1BF00745F00892DE882C6651DBF8E4888BA1

Function 006DE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006DE3D5

Strings

0%y, xrefs: 006DE3B5
8%y, xrefs: 006DE3CA

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%y$8%y
API String ID: 1385522511-1387198761
Opcode ID: 2bab89d4dbba6585c1925e65a7d188bdba715a053146366c1eaded7ca16dc5b6
Instruction ID: 558edf626fa9429b5b8b0d3b5520277a54db37afc767aaa385cae30716be22a0
Opcode Fuzzy Hash: 2bab89d4dbba6585c1925e65a7d188bdba715a053146366c1eaded7ca16dc5b6
Instruction Fuzzy Hash: 24E02631C0AA10EBCA04B718F854AEC3357AB44320B1341FBE1028F3D3DB792883868C

Function 00733017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0073302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00733044

Strings

aut, xrefs: 00733038

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 29934f749f6de0816312673e8d72d09f4061a10b8ba592495d3802258eaa6010
Instruction ID: 9acc9bc4ca2630910c0faef5e423add720d8fb051e26b6008c1dc742672753fe
Opcode Fuzzy Hash: 29934f749f6de0816312673e8d72d09f4061a10b8ba592495d3802258eaa6010
Instruction Fuzzy Hash: EDD0A5719403147BDB30A7949C4DFC73B6CD704751F0041517655D60D1DAF4D544CBD4

Function 0071D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0071D220

Strings

X64, xrefs: 0071D2A8
%.3d, xrefs: 0071D22B

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: daa47e4b155768959bb690f92e2529f71efff5dcec0bd6b3c3a851ad18bf9e66
Instruction ID: c6d5938cea6d67303ca881341f9d39f7f337fa7fe640df2d62acde873848e71d
Opcode Fuzzy Hash: daa47e4b155768959bb690f92e2529f71efff5dcec0bd6b3c3a851ad18bf9e66
Instruction Fuzzy Hash: 4FD012B1C08218E9CBA0A7D4CC499F9B37CFB19301F608453F91791080D63CD988AF61

Function 00752356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0075236C
PostMessageW.USER32(00000000), ref: 00752373

Part of subcall function 0072E97B: Sleep.KERNEL32 ref: 0072E9F3

Strings

Shell_TrayWnd, xrefs: 00752365

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 188cff8617e047f72f3d9ee6e7512de35022616ce8903e51e4bf333daea78f12
Instruction ID: deaca400a7132a3fc05b75acc0e51a41158e9a4a7c0e7391b2253ad6dbed43d1
Opcode Fuzzy Hash: 188cff8617e047f72f3d9ee6e7512de35022616ce8903e51e4bf333daea78f12
Instruction Fuzzy Hash: 46D0C9723C1310BAE665B770AC1FFC666149B04B11F5089567645AA1D0D9E8B8418A58

Function 00752322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0075232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0075233F

Part of subcall function 0072E97B: Sleep.KERNEL32 ref: 0072E9F3

Strings

Shell_TrayWnd, xrefs: 00752325

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4f17a974fe0eef8bda7f733f6b2d51139103ca0b0e2c95b8000935011c651a0e
Instruction ID: 4f7f9ec8b32a99af20fa0f801e1bb0c574d454e2b118ebe631ae9263e0e9d28a
Opcode Fuzzy Hash: 4f17a974fe0eef8bda7f733f6b2d51139103ca0b0e2c95b8000935011c651a0e
Instruction Fuzzy Hash: 70D012763D4310BBE664B770EC1FFC67A149B00B11F1089567745AA1D0D9F8B841CB58

Function 006FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 006FBE93
GetLastError.KERNEL32 ref: 006FBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006FBEFC

Memory Dump Source

Source File: 00000000.00000002.1861174251.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.1861144861.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861263646.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861344003.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1861375917.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: badad6fa2ddb691e2c5edece191d32d83ccb1249a8b4c526f67cdda63b53634c
Instruction ID: 20e8a1a9580670a75879245fb1a26a291b192d6ecd8caa27e9b856fdb1ccb748
Opcode Fuzzy Hash: badad6fa2ddb691e2c5edece191d32d83ccb1249a8b4c526f67cdda63b53634c
Instruction Fuzzy Hash: FC41F83460220EAFCF218F69CC44AFA7BA7EF41350F149169FA59972A1DB308D01CB55

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.2048674371.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2031611340.0000024CE7F69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028965135.0000024CEB622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2048674371.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2031611340.0000024CE7F69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2027992799.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1884555576.0000024CE0EF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2048674371.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2031611340.0000024CE7F69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2028965135.0000024CEB622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2048674371.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2031611340.0000024CE7F69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2027992799.0000024CEBDD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3069489502.00000180AB503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3069780185.0000022A62C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3069489502.00000180AB503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3069780185.0000022A62C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3069489502.00000180AB503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3069780185.0000022A62C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2028965135.0000024CEB6D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884555576.0000024CE0EF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2028965135.0000024CEB6D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2050572273.0000024CE2582000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884555576.0000024CE0EE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49893 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ff1f7eb9-5de2-4d4f-83a1-e15ddb28d979.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ff1f7eb9-5de2-4d4f-83a1-e15ddb28d979.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre