Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542678
MD5:	c50f8d8cb7a3471eb5472620f856a7fe
SHA1:	73ac31d1aacfaaa1afcfb0842487d118dc546035
SHA256:	69f4d532c8308798fea3b4638692d113e218ef1f54aceea2af35cccc96c3efb8
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C50F8D8CB7A3471EB5472620F856A7FE)

taskkill.exe (PID: 7148 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3864 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3620 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6860 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6408 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7148 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5660 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7080 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6232 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0e9e8c-2c71-4c21-bbc2-599cb7b02975} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12e8cb6ed10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7472 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4140 -prefMapHandle 4136 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f7c976-22af-47d7-aeed-3e85c38de67b} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12e8cb7fb10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7344 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3832 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5076 -prefMapHandle 5292 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef3bc804-8237-494b-b935-3660cdebc83d} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12eab15e510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Code function: 0_2_0037EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0037EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0037ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0037ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0037EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0036AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0036AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00399576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00399576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_44259191-4
Source: file.exe, 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a1cec146-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6124500a-9
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_54e5baf1-5

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002EEA57A2377 NtQuerySystemInformation,		16_2_000002EEA57A2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002EEA57C3DB2 NtQuerySystemInformation,		16_2_000002EEA57C3DB2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0036D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0036D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00361201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00361201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0036E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0036E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030BF40	0_2_0030BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00308060	0_2_00308060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00372046	0_2_00372046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00368298	0_2_00368298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033E4FF	0_2_0033E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033676B	0_2_0033676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00394873	0_2_00394873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032CAA0	0_2_0032CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030CAF0	0_2_0030CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031CC39	0_2_0031CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00336DD9	0_2_00336DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031D064	0_2_0031D064
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031B119	0_2_0031B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003091C0	0_2_003091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00321394	0_2_00321394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00321706	0_2_00321706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032781B	0_2_0032781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00307920	0_2_00307920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031997D	0_2_0031997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003219B0	0_2_003219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00327A4A	0_2_00327A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00321C77	0_2_00321C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00327CA7	0_2_00327CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00353CD2	0_2_00353CD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0038BE44	0_2_0038BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00339EEE	0_2_00339EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00321F32	0_2_00321F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002EEA57A2377	16_2_000002EEA57A2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002EEA57C3DB2	16_2_000002EEA57C3DB2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002EEA57C44DC	16_2_000002EEA57C44DC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002EEA57C3DF2	16_2_000002EEA57C3DF2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00320A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0031F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@34/36@66/13

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003737B5 GetLastError,FormatMessageW,

0_2_003737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003610BF AdjustTokenPrivileges,CloseHandle,		0_2_003610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0036D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0036D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0037648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0037648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files\Mozilla Firefox\firefox.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1998323717.0000012E9DF69000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: UPDATE moz_places SET foreign_count = foreign_count + 1 WHERE id = NEW.place_id;

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0e9e8c-2c71-4c21-bbc2-599cb7b02975} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12e8cb6ed10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4140 -prefMapHandle 4136 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f7c976-22af-47d7-aeed-3e85c38de67b} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12e8cb7fb10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3832 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5076 -prefMapHandle 5292 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef3bc804-8237-494b-b935-3660cdebc83d} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12eab15e510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0e9e8c-2c71-4c21-bbc2-599cb7b02975} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12e8cb6ed10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4140 -prefMapHandle 4136 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f7c976-22af-47d7-aeed-3e85c38de67b} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12e8cb7fb10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3832 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5076 -prefMapHandle 5292 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef3bc804-8237-494b-b935-3660cdebc83d} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12eab15e510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1980623652.0000012EA6B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000D.00000003.2000200630.0000012E9D792000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2011440434.0000012E9D75A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1990403904.0000012E9C6AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1978943898.0000012E9C6B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1990403904.0000012E9C6AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1990403904.0000012E9C6AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000D.00000003.1969171722.0000012E9C693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1978943898.0000012E9C6B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000D.00000003.2011440434.0000012E9D75A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1980623652.0000012EA6B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1990403904.0000012E9C6AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000D.00000003.2011440434.0000012E9D75A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000D.00000003.2011440434.0000012E9D75A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdbGCTL source: firefox.exe, 0000000D.00000003.1969171722.0000012E9C693000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003042DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00320A76 push ecx; ret

0_2_00320A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0031F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00391C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00391C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96112

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002EEA57A2377 rdtsc

16_2_000002EEA57A2377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0036DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0036DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003768EE FindFirstFileW,FindClose,	0_2_003768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0037698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0037698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0036D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0036D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0036D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0036D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00379642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00379642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0037979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0037979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00379B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00379B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00375C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00375C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003042DE

Source: firefox.exe, 00000010.00000002.3031468638.000002EEA58A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\
Source: firefox.exe, 0000000F.00000002.3032336175.000002323DD40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm
Source: firefox.exe, 0000000F.00000002.3032336175.000002323DD40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3026774298.000002323D40A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3027290511.000002EEA50AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3026846005.0000028D299CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3031788388.000002323D91B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3032336175.000002323DD40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3026774298.000002323D40A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3031468638.000002EEA58A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002EEA57A2377 rdtsc

16_2_000002EEA57A2377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0037EAA2 BlockInput,

0_2_0037EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00332622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00332622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00324CE8 mov eax, dword ptr fs:[00000030h]

0_2_00324CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00360B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00360B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00332622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00332622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0032083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003209D5 SetUnhandledExceptionFilter,	0_2_003209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00320C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00320C21

Source: C:\Users\user\Desktop\file.exe

0_2_00361201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00342BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00342BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0036B226 SendInput,keybd_event,

0_2_0036B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_003822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00360B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00361663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00361663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1962893373.0000012EA6B01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00320698 cpuid

0_2_00320698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00378195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00378195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0035D27A GetUserNameW,

0_2_0035D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0033BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0033BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003042DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00381204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00381204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00381806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00381806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://poczta.interia.pl/mh/?mailto=%s	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
star-mini.c10r.facebook.com	157.240.253.35	true	false	0%, Virustotal, Browse	unknown
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.129	true	false		unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.193.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	142.250.184.206	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.129.140	true	false		unknown
ipv4only.arpa	192.0.0.171	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1846982784.0000012EA4E4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2004276871.0000012EA4E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988436013.0000012E9E30E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958755886.0000012EA4E41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976251292.0000012EA4E41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1982698243.0000012EA4E41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3028038855.000002EEA52C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028824758.0000028D29CC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1977036489.0000012E9F0F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1899831837.0000012EAB1C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2002102055.0000012EAB1C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3028963068.000002323D8CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3028038855.000002EEA52F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3031647232.0000028D29E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3028038855.000002EEA52CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028824758.0000028D29C8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1998041141.0000012E9DFC7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.2010680822.0000012E9D8B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1909183256.0000012E9F2E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1984919181.0000012E9EDCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2007130853.0000012E9EDCD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1811831620.0000012E9C93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811963739.0000012E9C95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812091999.0000012E9C977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811656881.0000012E9C91F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811447489.0000012E9C700000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1847894608.0000012E9E4D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1986743337.0000012E9E4D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1846982784.0000012EA4E60000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1926203386.0000012EA5025000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811831620.0000012E9C93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1984429835.0000012E9F043000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811963739.0000012E9C95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912303876.0000012EA5025000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947971675.0000012EA502D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812091999.0000012E9C977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811656881.0000012E9C91F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811447489.0000012E9C700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2006547134.0000012E9F043000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1959575762.0000012E9FF46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903260638.0000012E9FF46000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1811831620.0000012E9C93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811963739.0000012E9C95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812091999.0000012E9C977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811656881.0000012E9C91F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811447489.0000012E9C700000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1998041141.0000012E9DFC7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3028963068.000002323D8CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3028038855.000002EEA52F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3031647232.0000028D29E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.2001155871.0000012EAB56F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1896727471.0000012EA50E6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1900874032.0000012EA6AC6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1995289456.0000012E9E74B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3028963068.000002323D8CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3028038855.000002EEA52F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3031647232.0000028D29E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1848148289.0000012E9D7F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000200630.0000012E9D7F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1972125475.0000012EA6A74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3028038855.000002EEA520A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028824758.0000028D29C0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1874638039.0000012E9D432000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894516455.0000012EA5287000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.2010680822.0000012E9D8CD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.2001155871.0000012EAB56F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.2011495333.0000012E9D737000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958755886.0000012EA4E41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976251292.0000012EA4E41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1982698243.0000012EA4E41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3028038855.000002EEA52C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028824758.0000028D29CC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1959055628.0000012EA487B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902062485.0000012EA487B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2004516524.0000012EA4882000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1874638039.0000012E9D426000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1912456564.0000012E9EFB3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.2001155871.0000012EAB56F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1984429835.0000012E9F020000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2006547134.0000012E9F022000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1995289456.0000012E9E74B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.2010680822.0000012E9D8B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1982698243.0000012EA4E41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900874032.0000012EA6AC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3028038855.000002EEA5212000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028824758.0000028D29C13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1846982784.0000012EA4E60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1850116913.0000012EA4FD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2010446869.0000012E9DB1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2026298387.0000012E9D3FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934411961.0000012E9D4E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959530488.0000012EA485E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812999216.0000012E9C968000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1943668950.0000012EA4FC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867776432.0000012E9D3E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939579571.0000012E9D4C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912456564.0000012E9EFB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926283832.0000012E9EF9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1996114490.0000012E9E364000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901091481.0000012EA4EC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2005494049.0000012E9F520000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958569449.0000012EA4EC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942065721.0000012E9D3D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960362840.0000012E9FF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960362840.0000012E9FF0C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904291815.0000012E9FF0C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1943668950.0000012EA4FD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942065721.0000012E9D3E6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1959575762.0000012E9FF46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903260638.0000012E9FF46000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1905680530.0000012E9F5BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960860931.0000012E9F5BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959575762.0000012E9FF46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903260638.0000012E9FF46000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/userw	firefox.exe, 00000011.00000002.3028824758.0000028D29CF8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1958154083.0000012EA4ED7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901091481.0000012EA4ED7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1848148289.0000012E9D7F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000200630.0000012E9D7F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1848148289.0000012E9D7F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000200630.0000012E9D7F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1999125887.0000012E9DB4A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1813707624.0000012E9C433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949077125.0000012E9C438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947223819.0000012E9C438000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1909100760.0000012E9F2EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962632217.0000012E9F2EB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.2005279786.0000012E9FF5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1994211120.0000012E9FF4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903260638.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959575762.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1874638039.0000012E9D432000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894516455.0000012EA5287000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1813707624.0000012E9C433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949077125.0000012E9C438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947223819.0000012E9C438000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.2001155871.0000012EAB56F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3028963068.000002323D8CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3028038855.000002EEA52F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3031647232.0000028D29E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.2011440434.0000012E9D75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1900352545.0000012EA99FB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1811447489.0000012E9C700000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1926203386.0000012EA5025000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811831620.0000012E9C93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1984429835.0000012E9F043000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811963739.0000012E9C95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912303876.0000012EA5025000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947971675.0000012EA502D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812091999.0000012E9C977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811656881.0000012E9C91F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811447489.0000012E9C700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2006547134.0000012E9F043000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1846982784.0000012EA4E60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1998041141.0000012E9DFC7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3028335598.000002323D5E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3030702265.000002EEA5760000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3028464960.0000028D29AB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1972125475.0000012EA6A74000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1958154083.0000012EA4ED7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901091481.0000012EA4ED7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1874638039.0000012E9D432000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894516455.0000012EA5287000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1813707624.0000012E9C433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949077125.0000012E9C438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947223819.0000012E9C438000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000D.00000003.1995289456.0000012E9E74B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.1850116913.0000012EA4FD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849301935.0000012EA4F95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849851799.0000012EA4FA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848865534.0000012EA4F91000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	firefox.exe, 0000000D.00000003.1995289456.0000012E9E74B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.115.113	unknown	United States	15169	GOOGLEUS	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
157.240.253.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542678
Start date and time:	2024-10-26 06:44:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@34/36@66/13
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 316
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.208.54.237, 44.231.229.39, 52.13.186.250, 2.22.61.59, 2.22.61.56, 142.250.186.174, 142.250.185.234, 142.250.185.202
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7080 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:45:15	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
151.101.193.91	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
example.org	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
dyna.wikimedia.org	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
twitter.com	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	https://load.aberegg-immobilien.ch/	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	SecuriteInfo.com.Trojan.Agent.GMXD.11819.15970.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	SecuriteInfo.com.Trojan.Agent.GMXD.11819.15970.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	57.231.209.91
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	48.152.9.65
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	57.231.209.91
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	48.152.9.65

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 142.250.115.113 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0fdd5269-5fd6-4aa1-a5d9-8ff725c1ecb4.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179510819706107
Encrypted:	false
SSDEEP:	192:BOjMiHzEcbhbVbTbfbRbObtbyEl7nsNpJA6WnSrDtTUd/SkDr5:BOYZcNhnzFSJMNEBnSrDhUd/T
MD5:	81297D20DD3963CDCF39F9EB4D926384
SHA1:	33A5FCCD203B02C1306AE76358CB76427CAC1151
SHA-256:	8D20B3D832C25113BB0DA5A9E9AD306F116B94B8F31D0196D2458B2A7E856756
SHA-512:	2E4EE1C3CB47EE8C94C5ACD1FC07E50992E24522954D3AB065A6420827E7DDDE2E3751BC714D335236961F514EDF03C5BE85D46DA46C69C8BF51757BE7FEE724
Malicious:	false
Preview:	{"type":"uninstall","id":"0fdd5269-5fd6-4aa1-a5d9-8ff725c1ecb4","creationDate":"2024-10-26T05:51:28.592Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0fdd5269-5fd6-4aa1-a5d9-8ff725c1ecb4.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179510819706107
Encrypted:	false
SSDEEP:	192:BOjMiHzEcbhbVbTbfbRbObtbyEl7nsNpJA6WnSrDtTUd/SkDr5:BOYZcNhnzFSJMNEBnSrDhUd/T
MD5:	81297D20DD3963CDCF39F9EB4D926384
SHA1:	33A5FCCD203B02C1306AE76358CB76427CAC1151
SHA-256:	8D20B3D832C25113BB0DA5A9E9AD306F116B94B8F31D0196D2458B2A7E856756
SHA-512:	2E4EE1C3CB47EE8C94C5ACD1FC07E50992E24522954D3AB065A6420827E7DDDE2E3751BC714D335236961F514EDF03C5BE85D46DA46C69C8BF51757BE7FEE724
Malicious:	false
Preview:	{"type":"uninstall","id":"0fdd5269-5fd6-4aa1-a5d9-8ff725c1ecb4","creationDate":"2024-10-26T05:51:28.592Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.931411402711422
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNH9U:8S+OfJQPUFpOdwNIOdYVjvYcXaNLMz8P
MD5:	3752F6B6D9F1C8E56153B7027A49FD77
SHA1:	EE6632A06579229CC38E45C4A4F9DC55B9A53C3D
SHA-256:	8D0F5CD146071CB649B41B68B9145E30529EFA2111D31026FEAEF456F99A041D
SHA-512:	7F1C8E42A2336CCDEC4A468AC61D0937281FB1CD69D48B23B8CEA4D07ABAD74C11D69B6D7E443B341E28831FD3052593DA3A187A437334BDEE2B9943BDB75514
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.931411402711422
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNH9U:8S+OfJQPUFpOdwNIOdYVjvYcXaNLMz8P
MD5:	3752F6B6D9F1C8E56153B7027A49FD77
SHA1:	EE6632A06579229CC38E45C4A4F9DC55B9A53C3D
SHA-256:	8D0F5CD146071CB649B41B68B9145E30529EFA2111D31026FEAEF456F99A041D
SHA-512:	7F1C8E42A2336CCDEC4A468AC61D0937281FB1CD69D48B23B8CEA4D07ABAD74C11D69B6D7E443B341E28831FD3052593DA3A187A437334BDEE2B9943BDB75514
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733666067446506
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiR:DLhesh7Owd4+ji
MD5:	86E2878C880B3FE66A1B869C9D076F78
SHA1:	66819F7F300D284A249B02A8571B054DB8130092
SHA-256:	E96814CB21A76F34AFF07FAD3DC6C282888CF350AFD2A483E6EFFA7F7154AC1D
SHA-512:	12416E2DAD05C4EB66259856C2F21FE1AD03BD679C6872B58539634B89B8FE421D40EF279D1BA13043C1CB6B490E2E7E13B8560A928DCB0201210B758D6862D2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFVqJoDZn9o3lstFVqJoDZnlZ89//alEl:GtWtaJCZn94WtaJCZnlZ89XuM
MD5:	94211E59B397389C408E7EF26F2FE208
SHA1:	80A17F723AFE9FD10CA6F8DBF004783F9E4F9C0D
SHA-256:	78DBD32ACE4EB9FB63DE7126A6FDF3C7A86827EED908B229FCE433D47E71B860
SHA-512:	6E3D6237C80F54E544500542BEEE198B17475417283F3E0E9A44DFF4A27F4C497DA95FCF6878CD32B26045F41F08F93A361B66690D771BB9D3B925ED1DBD5782
Malicious:	false
Preview:	..-......................./;..Q.D..vg..'.(^.C.....-......................./;..Q.D..vg..'.(^.C...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03983632420097889
Encrypted:	false
SSDEEP:	3:Ol1xVCnDp+Yey/IhK7S/4wl8rEXsxdwhml8XW3R2:KUnDp+YbEK7S/4wl8dMhm93w
MD5:	AFC5F6F78E86E350B1C220B0E95CF70E
SHA1:	AD83B1C3795A70564FA98D59AF2CC0903C912770
SHA-256:	ED78E031634E3E8B4CA4BECD0EB7E290BF7136C2B09F5BE1BA455BD95FB6F1DB
SHA-512:	03EC4012A003AF2793CF386AE10B21B231FE07D47CBB9B0E883783BA5362BB474261823B383C1A337D116346DD763C212D87389D8BA8BF8FB55B7CC91018DF57
Malicious:	false
Preview:	7....-..........D..vg..'L[.W,.Wc........D..vg..';/...Q..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495177353626182
Encrypted:	false
SSDEEP:	192:onaRtLYbBp6yhj4qyaaXf6KcmN8e5RfGNBw8dUSl:leoqpLiPcwf0
MD5:	BF814112BB61F65560CBB32EE86D3BB4
SHA1:	4AFFE1EC305EB9DF09B5D4E79ECC0876DF7712FE
SHA-256:	1E0EB8556963247DD0F7D3B12A8ED90CDF3EDDA2398F8B185E968247D23E7D66
SHA-512:	D645B338282330B1168F28009862C49B5170FA4AAAE70E11E8CFCDE3331FB83C1386AB646C5A3EDAC16DAF90EE5E5A45BF010F0B6F930BD91B72890669C8F57F
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729921859);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729921859);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729921859);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172992

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495177353626182
Encrypted:	false
SSDEEP:	192:onaRtLYbBp6yhj4qyaaXf6KcmN8e5RfGNBw8dUSl:leoqpLiPcwf0
MD5:	BF814112BB61F65560CBB32EE86D3BB4
SHA1:	4AFFE1EC305EB9DF09B5D4E79ECC0876DF7712FE
SHA-256:	1E0EB8556963247DD0F7D3B12A8ED90CDF3EDDA2398F8B185E968247D23E7D66
SHA-512:	D645B338282330B1168F28009862C49B5170FA4AAAE70E11E8CFCDE3331FB83C1386AB646C5A3EDAC16DAF90EE5E5A45BF010F0B6F930BD91B72890669C8F57F
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729921859);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729921859);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729921859);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172992

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5762 bytes
Category:	dropped
Size (bytes):	1554
Entropy (8bit):	6.337739896502115
Encrypted:	false
SSDEEP:	24:vQSUG6M20LXrIgcjpnQGNgIyXGH3j6xeChdFkgEQH2oXpk6rfNge4:opcCpfgcGxeCFjEkpkiNR4
MD5:	17D01E5F9BF23897168C604941ED41E1
SHA1:	05930E1E24D30D3114C6A4D4B6A5FF5B6A82404A
SHA-256:	DAAA2886BEA485EDA06DF9007229AF993A221F0B562FBCEB7DDCF4A4892B869A
SHA-512:	2E37D3E23766535356E47DBA8E3C30E151C11EEB3EBCBD63CE7AD3BD25B27953FEEA0D1C59A59ECA1E0BD3A6D604E5AE77F9092C243E5439F48BE893388F1DDD
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://www.facebook.com/video","title)....cacheKey":0,"ID":6,"docshellUU...D"{4a99abf2-c9c8-473a-bb91-4f43768f4143}","resultPrincipalURI":null,"hasUserInteract....true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729921864448,"hidden":false,"searchMode...userContextId...attribut\|..{},"index":1...questedI..p0,"imags...chrome://global/skin/icons/warning.svg"..aselect...,"_closedT..@],"_...C....GroupCount":-1,"busy...t...Flags":2167541758P...dth":1280,"height":1024,"screenX......Y..Aizem..."maximized"...BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...W...m...........;..=.1":{..jUpdate...9,"startTim..A2850...centCrash..B0},".....Dcooks. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,..Donly..fexpiry...34983,"originA...."firstPartyDomain":"","geckoViewS....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5762 bytes
Category:	dropped
Size (bytes):	1554
Entropy (8bit):	6.337739896502115
Encrypted:	false
SSDEEP:	24:vQSUG6M20LXrIgcjpnQGNgIyXGH3j6xeChdFkgEQH2oXpk6rfNge4:opcCpfgcGxeCFjEkpkiNR4
MD5:	17D01E5F9BF23897168C604941ED41E1
SHA1:	05930E1E24D30D3114C6A4D4B6A5FF5B6A82404A
SHA-256:	DAAA2886BEA485EDA06DF9007229AF993A221F0B562FBCEB7DDCF4A4892B869A
SHA-512:	2E37D3E23766535356E47DBA8E3C30E151C11EEB3EBCBD63CE7AD3BD25B27953FEEA0D1C59A59ECA1E0BD3A6D604E5AE77F9092C243E5439F48BE893388F1DDD
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://www.facebook.com/video","title)....cacheKey":0,"ID":6,"docshellUU...D"{4a99abf2-c9c8-473a-bb91-4f43768f4143}","resultPrincipalURI":null,"hasUserInteract....true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729921864448,"hidden":false,"searchMode...userContextId...attribut\|..{},"index":1...questedI..p0,"imags...chrome://global/skin/icons/warning.svg"..aselect...,"_closedT..@],"_...C....GroupCount":-1,"busy...t...Flags":2167541758P...dth":1280,"height":1024,"screenX......Y..Aizem..."maximized"...BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...W...m...........;..=.1":{..jUpdate...9,"startTim..A2850...centCrash..B0},".....Dcooks. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,..Donly..fexpiry...34983,"originA...."firstPartyDomain":"","geckoViewS....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5762 bytes
Category:	dropped
Size (bytes):	1554
Entropy (8bit):	6.337739896502115
Encrypted:	false
SSDEEP:	24:vQSUG6M20LXrIgcjpnQGNgIyXGH3j6xeChdFkgEQH2oXpk6rfNge4:opcCpfgcGxeCFjEkpkiNR4
MD5:	17D01E5F9BF23897168C604941ED41E1
SHA1:	05930E1E24D30D3114C6A4D4B6A5FF5B6A82404A
SHA-256:	DAAA2886BEA485EDA06DF9007229AF993A221F0B562FBCEB7DDCF4A4892B869A
SHA-512:	2E37D3E23766535356E47DBA8E3C30E151C11EEB3EBCBD63CE7AD3BD25B27953FEEA0D1C59A59ECA1E0BD3A6D604E5AE77F9092C243E5439F48BE893388F1DDD
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://www.facebook.com/video","title)....cacheKey":0,"ID":6,"docshellUU...D"{4a99abf2-c9c8-473a-bb91-4f43768f4143}","resultPrincipalURI":null,"hasUserInteract....true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729921864448,"hidden":false,"searchMode...userContextId...attribut\|..{},"index":1...questedI..p0,"imags...chrome://global/skin/icons/warning.svg"..aselect...,"_closedT..@],"_...C....GroupCount":-1,"busy...t...Flags":2167541758P...dth":1280,"height":1024,"screenX......Y..Aizem..."maximized"...BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...W...m...........;..=.1":{..jUpdate...9,"startTim..A2850...centCrash..B0},".....Dcooks. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,..Donly..fexpiry...34983,"originA...."firstPartyDomain":"","geckoViewS....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0346061677622
Encrypted:	false
SSDEEP:	48:YrSAYy6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycyyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	C9375E49C6896ED884F19E8207234BD6
SHA1:	EA4B8CAAEE0943277280E9B0314B393543885676
SHA-256:	510B6786AA83548B8913F0C410141AB5B526C777FBA9948A207F77DC5A2C2A68
SHA-512:	17BF89A83284A21090AF9259330968A0828F84567F9ECF37DCF7C7CD35B99207D3D29E59A94CA2A3B0F7CE87BB27EEC78676659029F8E4DA289C7EBBC174E19B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-26T05:50:44.899Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0346061677622
Encrypted:	false
SSDEEP:	48:YrSAYy6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycyyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	C9375E49C6896ED884F19E8207234BD6
SHA1:	EA4B8CAAEE0943277280E9B0314B393543885676
SHA-256:	510B6786AA83548B8913F0C410141AB5B526C777FBA9948A207F77DC5A2C2A68
SHA-512:	17BF89A83284A21090AF9259330968A0828F84567F9ECF37DCF7C7CD35B99207D3D29E59A94CA2A3B0F7CE87BB27EEC78676659029F8E4DA289C7EBBC174E19B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-26T05:50:44.899Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.583720909393008
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	c50f8d8cb7a3471eb5472620f856a7fe
SHA1:	73ac31d1aacfaaa1afcfb0842487d118dc546035
SHA256:	69f4d532c8308798fea3b4638692d113e218ef1f54aceea2af35cccc96c3efb8
SHA512:	a94ac5bc826aec5a79a9ee22408ddf4fa92dc43c085691fd187f46033c46545e4d182ec6eae096245db138f2a093defd6993956fa8c8277c927c3cf4958deed3
SSDEEP:	12288:1qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgagTJ:1qDEvCTbMWu7rQYlBQcBiT6rprG8a4J
TLSH:	65159E0273D1C062FF9B92334B5AF6515BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671C72CD [Sat Oct 26 04:40:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FD514B7D7A3h
jmp 00007FD514B7D0AFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD514B7D28Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD514B7D25Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FD514B7FE4Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FD514B7FE98h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FD514B7FE81h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9bf4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9bf4	0x9c00	0eedfd910d5b367cdb1164f8aa49f1f5	False	0.31825921474358976	data	5.330686053168525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xebc	data			1.002916224814422
RT_GROUP_ICON	0xdd674	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd6ec	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd700	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd714	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd728	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd804	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 06:45:11.813725948 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:11.813811064 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:11.816438913 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:11.822844028 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:11.822901964 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:12.448649883 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:12.449460983 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:12.457211018 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:12.457231045 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:12.457372904 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:12.457505941 CEST	443	49738	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:12.457659960 CEST	49738	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:14.118995905 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:14.119071007 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:14.119605064 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:14.121201992 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:14.121232986 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:14.300205946 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:14.305663109 CEST	80	49741	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:14.305877924 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:14.305877924 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:14.311336994 CEST	80	49741	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:14.507036924 CEST	49742	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:14.507103920 CEST	443	49742	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:14.508510113 CEST	49742	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:14.510039091 CEST	49742	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:14.510066032 CEST	443	49742	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:14.727344036 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:14.727370024 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:14.729557991 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:14.734443903 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:14.734458923 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:14.755156040 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:14.755239964 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:14.755373001 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:14.755470991 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:14.755495071 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:14.755819082 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:14.755841017 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:14.756134033 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:14.757448912 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:14.757476091 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:14.893423080 CEST	80	49741	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:14.952305079 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:14.991329908 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:14.992247105 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:14.996529102 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:14.996562958 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:14.996646881 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:14.996779919 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:14.997523069 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:15.361777067 CEST	443	49742	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:15.362890005 CEST	49742	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:15.366755009 CEST	49742	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:15.366767883 CEST	443	49742	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:15.366874933 CEST	49742	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:15.367063999 CEST	443	49742	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:15.367249012 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:15.367347956 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:15.367351055 CEST	49742	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:15.367568970 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:15.368885994 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:15.368923903 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:15.379213095 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:15.379879951 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:15.382797956 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:15.382810116 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:15.383147001 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:15.384803057 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.385750055 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:15.385833025 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:15.385951042 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:15.386097908 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:15.386097908 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.390028954 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.390042067 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.390142918 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.390260935 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.390619040 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.390650034 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.390696049 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.391334057 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.392714024 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.392729044 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.465451002 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.468281031 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.490382910 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:15.492150068 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.492162943 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.492238998 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.492584944 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.492624044 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.492862940 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.496026993 CEST	80	49741	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:15.508800030 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.508817911 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.508857012 CEST	49741	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:15.532190084 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:15.532207966 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:15.643040895 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:15.643569946 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 26, 2024 06:45:15.643644094 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 26, 2024 06:45:15.643836975 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 26, 2024 06:45:15.643949032 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 26, 2024 06:45:15.643979073 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 26, 2024 06:45:15.648677111 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:15.649876118 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:15.650341034 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:15.655695915 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:15.664686918 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:15.670195103 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:15.670780897 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:15.670914888 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:15.676270008 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:15.999820948 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.000917912 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.004852057 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.004858971 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.004925013 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.005211115 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.005268097 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.108208895 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.108289003 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.109216928 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.110500097 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.110534906 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.259150982 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:16.259242058 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:16.263492107 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:16.264180899 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:16.264230967 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:16.264261961 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:16.264401913 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 26, 2024 06:45:16.264636040 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 26, 2024 06:45:16.265295029 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 26, 2024 06:45:16.265367985 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 26, 2024 06:45:16.268074989 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 26, 2024 06:45:16.268114090 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 26, 2024 06:45:16.268481970 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 26, 2024 06:45:16.270698071 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 26, 2024 06:45:16.270756006 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 26, 2024 06:45:16.270901918 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 26, 2024 06:45:16.270971060 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 26, 2024 06:45:16.280719042 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:16.309729099 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:16.325366020 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:16.410871983 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:16.411887884 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:16.416229010 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:16.417319059 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:16.537338972 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:16.538610935 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:16.579385996 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:16.579399109 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:16.700725079 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:16.706345081 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:16.739173889 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.739268064 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.744148970 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.744194984 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.744260073 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.744410992 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.744476080 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.744599104 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.744637012 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.744710922 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.746042013 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:16.746062994 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:16.778603077 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:16.778681040 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:16.779956102 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:16.781668901 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:16.781704903 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:16.832190037 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:16.880198002 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:17.039896965 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:17.045428038 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:17.165838003 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:17.212284088 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:18.334096909 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:18.334173918 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:18.337394953 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:18.337426901 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:18.337570906 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:18.339710951 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:18.339768887 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:18.339816093 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:18.340018034 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:18.340183020 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:18.341980934 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:18.342010021 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:18.342103004 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:18.342263937 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 06:45:18.342334032 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 06:45:18.346630096 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:18.346972942 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:18.350344896 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:18.350358963 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:18.350384951 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:18.350544930 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:18.350651979 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:19.379127979 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:19.379712105 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:19.384609938 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:19.385132074 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:19.396444082 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:19.396507025 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:19.407474041 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:19.409022093 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:19.409040928 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:19.418605089 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:19.418637037 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:19.418855906 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:19.418947935 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:19.418958902 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:19.505579948 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:19.511845112 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:19.548001051 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:19.563715935 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:20.027765036 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:20.027786016 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:20.032643080 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:20.039376974 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:20.044855118 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:20.044863939 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:20.045051098 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:20.584889889 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:20.584966898 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:20.585901976 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:20.587441921 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:20.587443113 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:20.587518930 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:20.587558031 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:20.587634087 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:20.588044882 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:20.588114023 CEST	443	49758	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:20.589097977 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:20.589140892 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:20.589416981 CEST	49758	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:23.733545065 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:23.739052057 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:23.862032890 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:23.909446001 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:24.281044006 CEST	49766	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.281088114 CEST	443	49766	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:24.281702042 CEST	49766	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.282794952 CEST	49766	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.282834053 CEST	443	49766	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:24.289515018 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:24.294823885 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:24.415016890 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:24.450587034 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:24.450669050 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:24.450756073 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:24.452116013 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:24.452159882 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:24.464256048 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:24.738276005 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:24.743838072 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:24.794670105 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:24.794744968 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:24.796401024 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:24.800833941 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:24.800877094 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:24.866456032 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:24.896153927 CEST	443	49766	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:24.896277905 CEST	49766	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.912280083 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:24.938241959 CEST	49766	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.938241959 CEST	49766	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.938354015 CEST	443	49766	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:24.938630104 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.938729048 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:24.938954115 CEST	443	49766	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:24.940519094 CEST	49766	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.940651894 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.941982031 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:24.942056894 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:25.065815926 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:25.066287994 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:25.070638895 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:25.070640087 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:25.070694923 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:25.071268082 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:25.073476076 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:25.519524097 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:25.519597054 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:25.554199934 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:25.554291964 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:25.938638926 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:25.938669920 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:25.938710928 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:25.938827038 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:25.938904047 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:25.938937902 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:25.938973904 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:25.939176083 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:25.939472914 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:25.939532042 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:26.106353045 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:26.110035896 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.110065937 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:26.111980915 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:26.114492893 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.115736961 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.115755081 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:26.199230909 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.199269056 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:26.200129032 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.200254917 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.200284958 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:26.244019985 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:26.277276993 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.277355909 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:26.278409958 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.278518915 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.278544903 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:26.300621033 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:26.375082016 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:26.380561113 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:26.509772062 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:26.570276022 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:26.724963903 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:26.725052118 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.831705093 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:26.831784964 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:26.907742023 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:26.915620089 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.071089983 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.071162939 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:27.072109938 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:27.073244095 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.073318958 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:27.074345112 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:27.075639963 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.075680017 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:27.075725079 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.075957060 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.076045990 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.076237917 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:27.076419115 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:27.077980042 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.077996016 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.078139067 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.118690968 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.395119905 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.395205021 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.395876884 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 06:45:27.396205902 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:45:27.490180016 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:27.495815039 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:27.616955996 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:27.673410892 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:27.688589096 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:27.688842058 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:27.694045067 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:27.694186926 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:27.814596891 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:27.815242052 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:27.816294909 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:27.817167997 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:27.820939064 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:27.821089983 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:27.873969078 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:27.891606092 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:27.899369955 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:27.903606892 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:28.533056974 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:28.538566113 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:28.657799006 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:28.707639933 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:36.119340897 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:36.119425058 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:36.119533062 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:36.129882097 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:36.129961967 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:36.748024940 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:36.748128891 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:36.752187967 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:36.752187967 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:36.752243042 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:36.752530098 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:36.753031015 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:36.755485058 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:36.760868073 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:36.884453058 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:36.903449059 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:36.908876896 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:36.946526051 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:37.026449919 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:37.078236103 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:40.108678102 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.108721972 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.109236956 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.109298944 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.109313011 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.132566929 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.132648945 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:40.132693052 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:40.132742882 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:40.138094902 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.138407946 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.138407946 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:40.138456106 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:40.140698910 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:40.140732050 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:40.141313076 CEST	49779	443	192.168.2.4	151.101.193.91
Oct 26, 2024 06:45:40.141395092 CEST	443	49779	151.101.193.91	192.168.2.4
Oct 26, 2024 06:45:40.142395973 CEST	49779	443	192.168.2.4	151.101.193.91
Oct 26, 2024 06:45:40.142504930 CEST	49779	443	192.168.2.4	151.101.193.91
Oct 26, 2024 06:45:40.142538071 CEST	443	49779	151.101.193.91	192.168.2.4
Oct 26, 2024 06:45:40.155869961 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 26, 2024 06:45:40.155951023 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 26, 2024 06:45:40.157027960 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 26, 2024 06:45:40.158987999 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 26, 2024 06:45:40.159054995 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 26, 2024 06:45:40.736782074 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.737031937 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.741333008 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.741385937 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.741729975 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.745029926 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.745031118 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.745242119 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.747355938 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.749768972 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:40.751919985 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:40.752007961 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.755930901 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.755963087 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:40.756319046 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:40.757098913 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:40.757210016 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:40.757388115 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:40.757781029 CEST	443	49779	151.101.193.91	192.168.2.4
Oct 26, 2024 06:45:40.758304119 CEST	49779	443	192.168.2.4	151.101.193.91
Oct 26, 2024 06:45:40.763137102 CEST	49779	443	192.168.2.4	151.101.193.91
Oct 26, 2024 06:45:40.763189077 CEST	443	49779	151.101.193.91	192.168.2.4
Oct 26, 2024 06:45:40.763715982 CEST	443	49779	151.101.193.91	192.168.2.4
Oct 26, 2024 06:45:40.765033960 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.765131950 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.765261889 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:40.766726971 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.768140078 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:40.768167019 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:40.768239021 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:40.768444061 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 26, 2024 06:45:40.768822908 CEST	49779	443	192.168.2.4	151.101.193.91
Oct 26, 2024 06:45:40.768822908 CEST	49779	443	192.168.2.4	151.101.193.91
Oct 26, 2024 06:45:40.769001007 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 26, 2024 06:45:40.769238949 CEST	443	49779	151.101.193.91	192.168.2.4
Oct 26, 2024 06:45:40.769435883 CEST	49779	443	192.168.2.4	151.101.193.91
Oct 26, 2024 06:45:40.778868914 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.778934002 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.779366016 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.779556036 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.779586077 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.782624006 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.782706976 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.783072948 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.783072948 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.783205032 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.785756111 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.785774946 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.785873890 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.786046982 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:40.786062956 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:40.787714958 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 26, 2024 06:45:40.787802935 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 26, 2024 06:45:40.793762922 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 26, 2024 06:45:40.793764114 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 26, 2024 06:45:40.793790102 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 26, 2024 06:45:40.794063091 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 26, 2024 06:45:40.794336081 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 26, 2024 06:45:40.809211969 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.809242964 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:40.809355974 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.809493065 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:40.809503078 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:40.877610922 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:40.880649090 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:40.886106968 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:40.926327944 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:41.003592014 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:41.058134079 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:41.414374113 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.414489031 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.417175055 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.417216063 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.418019056 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.420581102 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.420702934 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.420808077 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.420864105 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.422244072 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:41.423666954 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.424639940 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:41.424916983 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.427589893 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:41.427611113 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:41.427699089 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:41.428070068 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:41.429888010 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.429939985 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.430814981 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.432621956 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:41.432677031 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:41.432924986 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 26, 2024 06:45:41.433016062 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.433056116 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.433161974 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:41.433187962 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 26, 2024 06:45:41.433454037 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.433521032 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.553524971 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:41.556546926 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:41.562712908 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:41.612757921 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:41.642790079 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.643054008 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.648649931 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.648730040 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.649470091 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.651887894 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.651887894 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.652349949 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 26, 2024 06:45:41.653738976 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 26, 2024 06:45:41.655791044 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:41.661099911 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:41.680330038 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:41.728805065 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:41.781306982 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:41.784549952 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:41.790129900 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:41.828954935 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:41.907748938 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:41.960637093 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:43.281234026 CEST	64876	443	192.168.2.4	142.250.115.113
Oct 26, 2024 06:45:43.281261921 CEST	443	64876	142.250.115.113	192.168.2.4
Oct 26, 2024 06:45:43.281753063 CEST	64876	443	192.168.2.4	142.250.115.113
Oct 26, 2024 06:45:43.281929016 CEST	64876	443	192.168.2.4	142.250.115.113
Oct 26, 2024 06:45:43.281940937 CEST	443	64876	142.250.115.113	192.168.2.4
Oct 26, 2024 06:45:43.925760984 CEST	443	64876	142.250.115.113	192.168.2.4
Oct 26, 2024 06:45:43.925972939 CEST	64876	443	192.168.2.4	142.250.115.113
Oct 26, 2024 06:45:43.926824093 CEST	443	64876	142.250.115.113	192.168.2.4
Oct 26, 2024 06:45:43.926913023 CEST	64876	443	192.168.2.4	142.250.115.113
Oct 26, 2024 06:45:43.929842949 CEST	64876	443	192.168.2.4	142.250.115.113
Oct 26, 2024 06:45:43.929855108 CEST	443	64876	142.250.115.113	192.168.2.4
Oct 26, 2024 06:45:43.930242062 CEST	443	64876	142.250.115.113	192.168.2.4
Oct 26, 2024 06:45:43.932180882 CEST	64876	443	192.168.2.4	142.250.115.113
Oct 26, 2024 06:45:43.932262897 CEST	64876	443	192.168.2.4	142.250.115.113
Oct 26, 2024 06:45:43.932374001 CEST	443	64876	142.250.115.113	192.168.2.4
Oct 26, 2024 06:45:43.933682919 CEST	64876	443	192.168.2.4	142.250.115.113
Oct 26, 2024 06:45:43.936271906 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:43.941620111 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:44.061871052 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:44.064132929 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:44.069678068 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:44.120162010 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:44.187469006 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:44.236082077 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:48.184530020 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:48.189857006 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:48.310344934 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:48.317470074 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:48.322976112 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:48.361955881 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:48.440632105 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:48.493627071 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:56.843565941 CEST	64888	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:56.843605995 CEST	443	64888	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:56.843839884 CEST	64888	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:56.845810890 CEST	64888	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:56.845832109 CEST	443	64888	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:57.481185913 CEST	443	64888	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:57.481281042 CEST	64888	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:57.485923052 CEST	64888	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:57.485938072 CEST	443	64888	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:57.485995054 CEST	64888	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:57.486110926 CEST	443	64888	34.107.243.93	192.168.2.4
Oct 26, 2024 06:45:57.486757040 CEST	64888	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:45:57.488579988 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:57.494184017 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:57.613971949 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:57.617187977 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:57.622792959 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:57.666790962 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:45:57.740648031 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:45:57.789246082 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:07.616919994 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:07.622262955 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:07.748656034 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:07.754121065 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:10.082333088 CEST	64961	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.082370043 CEST	443	64961	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.082487106 CEST	64962	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.082566977 CEST	443	64962	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.082623005 CEST	64963	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.082638025 CEST	443	64963	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.086389065 CEST	64961	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.086412907 CEST	64962	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.086414099 CEST	64963	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.086632013 CEST	64961	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.086646080 CEST	443	64961	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.086760998 CEST	64963	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.086770058 CEST	443	64963	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.086883068 CEST	64962	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.086922884 CEST	443	64962	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.693738937 CEST	443	64963	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.697839022 CEST	64963	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.700884104 CEST	64963	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.700892925 CEST	443	64963	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.701220036 CEST	443	64963	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.702697039 CEST	443	64962	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.703280926 CEST	64963	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.703386068 CEST	64963	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.703474998 CEST	443	64963	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.703689098 CEST	64963	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.703705072 CEST	64963	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.703845024 CEST	64962	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.707093000 CEST	64962	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.707148075 CEST	443	64962	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.707434893 CEST	443	64962	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.711863041 CEST	64962	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.711946964 CEST	64962	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.712017059 CEST	443	64962	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.717449903 CEST	64962	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.717449903 CEST	64962	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.720274925 CEST	443	64961	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.725497961 CEST	64961	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.728730917 CEST	64961	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.728738070 CEST	443	64961	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.729285002 CEST	443	64961	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.730935097 CEST	64961	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.731000900 CEST	64961	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.731656075 CEST	443	64961	34.120.208.123	192.168.2.4
Oct 26, 2024 06:46:10.733654976 CEST	64961	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.733671904 CEST	64961	443	192.168.2.4	34.120.208.123
Oct 26, 2024 06:46:10.753336906 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:10.758692026 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:10.878696918 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:10.903414011 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:10.908818007 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:10.926390886 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:11.026681900 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:11.073555946 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:20.886178017 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:20.892021894 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:21.033333063 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:21.039330959 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:30.899501085 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:30.905157089 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:31.046677113 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:31.051990032 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:37.747904062 CEST	65114	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:46:37.747944117 CEST	443	65114	34.107.243.93	192.168.2.4
Oct 26, 2024 06:46:37.748078108 CEST	65114	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:46:37.750253916 CEST	65114	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:46:37.750272989 CEST	443	65114	34.107.243.93	192.168.2.4
Oct 26, 2024 06:46:38.379709959 CEST	443	65114	34.107.243.93	192.168.2.4
Oct 26, 2024 06:46:38.380074978 CEST	65114	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:46:38.386670113 CEST	65114	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:46:38.386701107 CEST	443	65114	34.107.243.93	192.168.2.4
Oct 26, 2024 06:46:38.386836052 CEST	65114	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:46:38.387056112 CEST	443	65114	34.107.243.93	192.168.2.4
Oct 26, 2024 06:46:38.387203932 CEST	65114	443	192.168.2.4	34.107.243.93
Oct 26, 2024 06:46:38.389733076 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:38.395198107 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:38.515611887 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:38.518929005 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:38.524504900 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:38.568603039 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:38.642904997 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:38.684652090 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:48.535676003 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:48.541203022 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:48.651592970 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:48.657351971 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:58.541829109 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:58.547398090 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:46:58.664443016 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:46:58.672310114 CEST	80	49774	34.107.221.82	192.168.2.4
Oct 26, 2024 06:47:08.551902056 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:47:08.557753086 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 06:47:08.684684992 CEST	49774	80	192.168.2.4	34.107.221.82
Oct 26, 2024 06:47:08.690538883 CEST	80	49774	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 06:45:11.825035095 CEST	51290	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:11.833193064 CEST	53	51290	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:11.842952967 CEST	62844	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:11.851217031 CEST	53	62844	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.097245932 CEST	62918	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.106575012 CEST	61844	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.110356092 CEST	59500	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.113933086 CEST	53	61844	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.114856005 CEST	54664	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.117942095 CEST	53	59500	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.119230032 CEST	51059	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.122231007 CEST	53	54664	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.126645088 CEST	53	51059	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.128494024 CEST	62422	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.135535002 CEST	53	62422	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.711864948 CEST	52954	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.719172001 CEST	53	52954	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.734985113 CEST	64645	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.743355036 CEST	53	64645	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.744018078 CEST	60452	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.752192974 CEST	54417	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.754498005 CEST	53	60452	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.755306959 CEST	65088	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.758291960 CEST	51464	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.759733915 CEST	53	54417	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.763268948 CEST	53	65088	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.765366077 CEST	53	51464	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.767221928 CEST	52276	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.767510891 CEST	63100	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.774548054 CEST	53	52276	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.777970076 CEST	53	63100	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.924390078 CEST	49269	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.925091028 CEST	57356	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:14.932531118 CEST	53	49269	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:14.932770967 CEST	53	57356	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:15.483895063 CEST	64240	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:15.484539986 CEST	58488	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:15.491769075 CEST	53	64240	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:15.663878918 CEST	59690	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:15.671247959 CEST	53	59690	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:15.672580004 CEST	52033	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:15.680551052 CEST	53	52033	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:15.884124994 CEST	55831	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:15.925091028 CEST	53	54944	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:16.609560013 CEST	52784	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:16.616863012 CEST	53	52784	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:16.617978096 CEST	49187	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:16.625324011 CEST	53	49187	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:16.625834942 CEST	53240	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:16.633197069 CEST	53	53240	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:19.247432947 CEST	53146	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:19.256283998 CEST	53	53146	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:19.266313076 CEST	55607	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:19.273752928 CEST	53	55607	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:19.274329901 CEST	62316	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:19.282744884 CEST	53	62316	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:19.396831036 CEST	59234	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:19.399123907 CEST	62308	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:19.406857014 CEST	53	62308	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:19.406887054 CEST	53	59234	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:19.418253899 CEST	63851	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:19.425575972 CEST	53	63851	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:24.270469904 CEST	56208	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:24.277998924 CEST	53	56208	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:24.281603098 CEST	63906	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:24.288981915 CEST	53	63906	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:24.293641090 CEST	57930	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:24.303723097 CEST	53	57930	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:24.442620039 CEST	49189	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:24.450093031 CEST	53	49189	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:24.737792015 CEST	50305	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:24.745218039 CEST	53	50305	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:24.745770931 CEST	52735	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:24.753556013 CEST	53	52735	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:29.749346972 CEST	65329	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:29.749766111 CEST	61867	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:29.756970882 CEST	53	61867	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:29.757462025 CEST	53	65329	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.813364029 CEST	65119	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.817007065 CEST	62887	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.817245960 CEST	53176	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.821526051 CEST	53	65119	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.823210955 CEST	51855	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.824917078 CEST	53	53176	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.824947119 CEST	53	62887	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.826272964 CEST	54731	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.826407909 CEST	49541	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.831094027 CEST	53	51855	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.831751108 CEST	54456	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.834059000 CEST	53	49541	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.834109068 CEST	53	54731	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.834636927 CEST	56243	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.841090918 CEST	53	54456	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.841952085 CEST	53	56243	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.842487097 CEST	50493	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.849617004 CEST	53	50493	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:30.850184917 CEST	54663	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:30.857415915 CEST	53	54663	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:36.119605064 CEST	49747	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:36.127147913 CEST	53	49747	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:40.108949900 CEST	59911	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:40.125845909 CEST	53	59911	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:40.127434015 CEST	53783	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:40.130295038 CEST	49256	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:40.135941029 CEST	53	53783	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:40.137729883 CEST	52193	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:40.137974977 CEST	53	49256	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:40.141808033 CEST	57701	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:40.149671078 CEST	53	57701	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:40.150379896 CEST	50614	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:40.154808044 CEST	53	52193	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:40.156073093 CEST	56575	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:40.158417940 CEST	53	50614	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:40.163789988 CEST	53	56575	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:40.164402962 CEST	64143	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:40.171541929 CEST	53	64143	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:42.654855013 CEST	53	58776	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:56.789501905 CEST	62095	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:56.842286110 CEST	53	62095	1.1.1.1	192.168.2.4
Oct 26, 2024 06:45:56.842993975 CEST	51614	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:45:56.850606918 CEST	53	51614	1.1.1.1	192.168.2.4
Oct 26, 2024 06:46:10.076323986 CEST	60813	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:46:10.083614111 CEST	53	60813	1.1.1.1	192.168.2.4
Oct 26, 2024 06:46:10.753536940 CEST	64035	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:46:37.738755941 CEST	64784	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:46:37.746589899 CEST	53	64784	1.1.1.1	192.168.2.4
Oct 26, 2024 06:46:37.747836113 CEST	60243	53	192.168.2.4	1.1.1.1
Oct 26, 2024 06:46:37.756155968 CEST	53	60243	1.1.1.1	192.168.2.4
Oct 26, 2024 06:46:38.389983892 CEST	60391	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 06:45:11.825035095 CEST	192.168.2.4	1.1.1.1	0x5da0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:11.842952967 CEST	192.168.2.4	1.1.1.1	0x7e93	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:14.097245932 CEST	192.168.2.4	1.1.1.1	0xc207	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.106575012 CEST	192.168.2.4	1.1.1.1	0x4476	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.110356092 CEST	192.168.2.4	1.1.1.1	0xde86	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.114856005 CEST	192.168.2.4	1.1.1.1	0x941c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:14.119230032 CEST	192.168.2.4	1.1.1.1	0xf902	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.128494024 CEST	192.168.2.4	1.1.1.1	0x8483	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:14.711864948 CEST	192.168.2.4	1.1.1.1	0x4240	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.734985113 CEST	192.168.2.4	1.1.1.1	0xcb0e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.744018078 CEST	192.168.2.4	1.1.1.1	0xc6f5	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.752192974 CEST	192.168.2.4	1.1.1.1	0x8c2d	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:14.755306959 CEST	192.168.2.4	1.1.1.1	0x9537	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.758291960 CEST	192.168.2.4	1.1.1.1	0x7ca6	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.767221928 CEST	192.168.2.4	1.1.1.1	0xcbdd	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:14.767510891 CEST	192.168.2.4	1.1.1.1	0x9517	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:14.924390078 CEST	192.168.2.4	1.1.1.1	0x3bcc	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.925091028 CEST	192.168.2.4	1.1.1.1	0xefd5	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:15.483895063 CEST	192.168.2.4	1.1.1.1	0x8e32	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:15.484539986 CEST	192.168.2.4	1.1.1.1	0x43fd	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:15.663878918 CEST	192.168.2.4	1.1.1.1	0x2d17	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:15.672580004 CEST	192.168.2.4	1.1.1.1	0x177e	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:15.884124994 CEST	192.168.2.4	1.1.1.1	0xd4b4	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:16.609560013 CEST	192.168.2.4	1.1.1.1	0x47f0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:16.617978096 CEST	192.168.2.4	1.1.1.1	0xb6b8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:16.625834942 CEST	192.168.2.4	1.1.1.1	0x420d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:19.247432947 CEST	192.168.2.4	1.1.1.1	0x724d	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:19.266313076 CEST	192.168.2.4	1.1.1.1	0x3e1f	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:19.274329901 CEST	192.168.2.4	1.1.1.1	0x11e7	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:19.396831036 CEST	192.168.2.4	1.1.1.1	0xb601	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:19.399123907 CEST	192.168.2.4	1.1.1.1	0x8c42	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:19.418253899 CEST	192.168.2.4	1.1.1.1	0xc058	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:24.270469904 CEST	192.168.2.4	1.1.1.1	0x12ef	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:24.281603098 CEST	192.168.2.4	1.1.1.1	0x9958	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:24.293641090 CEST	192.168.2.4	1.1.1.1	0x38b1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:24.442620039 CEST	192.168.2.4	1.1.1.1	0xe901	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:24.737792015 CEST	192.168.2.4	1.1.1.1	0x494b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:24.745770931 CEST	192.168.2.4	1.1.1.1	0xf020	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:29.749346972 CEST	192.168.2.4	1.1.1.1	0x8993	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.749766111 CEST	192.168.2.4	1.1.1.1	0x54e4	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.813364029 CEST	192.168.2.4	1.1.1.1	0xe95f	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.817007065 CEST	192.168.2.4	1.1.1.1	0xef58	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.817245960 CEST	192.168.2.4	1.1.1.1	0xfc5f	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.823210955 CEST	192.168.2.4	1.1.1.1	0x92c4	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.826272964 CEST	192.168.2.4	1.1.1.1	0x97c1	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 26, 2024 06:45:30.826407909 CEST	192.168.2.4	1.1.1.1	0xb246	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:30.831751108 CEST	192.168.2.4	1.1.1.1	0x7ccb	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:30.834636927 CEST	192.168.2.4	1.1.1.1	0x70e5	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.842487097 CEST	192.168.2.4	1.1.1.1	0xcc60	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.850184917 CEST	192.168.2.4	1.1.1.1	0xe112	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:36.119605064 CEST	192.168.2.4	1.1.1.1	0x7d84	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:40.108949900 CEST	192.168.2.4	1.1.1.1	0x8409	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.127434015 CEST	192.168.2.4	1.1.1.1	0x911d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.130295038 CEST	192.168.2.4	1.1.1.1	0x4a21	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 06:45:40.137729883 CEST	192.168.2.4	1.1.1.1	0xddca	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.141808033 CEST	192.168.2.4	1.1.1.1	0x5255	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.150379896 CEST	192.168.2.4	1.1.1.1	0x2bad	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 26, 2024 06:45:40.156073093 CEST	192.168.2.4	1.1.1.1	0xf775	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.164402962 CEST	192.168.2.4	1.1.1.1	0x730c	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:45:56.789501905 CEST	192.168.2.4	1.1.1.1	0xa388	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:56.842993975 CEST	192.168.2.4	1.1.1.1	0xb9d1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:46:10.076323986 CEST	192.168.2.4	1.1.1.1	0x2585	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:46:10.753536940 CEST	192.168.2.4	1.1.1.1	0x61b1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:46:37.738755941 CEST	192.168.2.4	1.1.1.1	0x9c6a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:46:37.747836113 CEST	192.168.2.4	1.1.1.1	0xd87c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 06:46:38.389983892 CEST	192.168.2.4	1.1.1.1	0x4545	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 06:45:11.802649975 CEST	1.1.1.1	192.168.2.4	0xa1bc	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:11.833193064 CEST	1.1.1.1	192.168.2.4	0x5da0	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.105511904 CEST	1.1.1.1	192.168.2.4	0xc207	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:14.105511904 CEST	1.1.1.1	192.168.2.4	0xc207	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.113933086 CEST	1.1.1.1	192.168.2.4	0x4476	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.117942095 CEST	1.1.1.1	192.168.2.4	0xde86	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:14.117942095 CEST	1.1.1.1	192.168.2.4	0xde86	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.122231007 CEST	1.1.1.1	192.168.2.4	0x941c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 26, 2024 06:45:14.126645088 CEST	1.1.1.1	192.168.2.4	0xf902	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.135535002 CEST	1.1.1.1	192.168.2.4	0x8483	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 26, 2024 06:45:14.719172001 CEST	1.1.1.1	192.168.2.4	0x4240	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.743355036 CEST	1.1.1.1	192.168.2.4	0xcb0e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.754193068 CEST	1.1.1.1	192.168.2.4	0x54ce	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:14.754193068 CEST	1.1.1.1	192.168.2.4	0x54ce	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.754498005 CEST	1.1.1.1	192.168.2.4	0xc6f5	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:14.754498005 CEST	1.1.1.1	192.168.2.4	0xc6f5	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.763268948 CEST	1.1.1.1	192.168.2.4	0x9537	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.765366077 CEST	1.1.1.1	192.168.2.4	0x7ca6	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.932531118 CEST	1.1.1.1	192.168.2.4	0x3bcc	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.932770967 CEST	1.1.1.1	192.168.2.4	0xefd5	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:14.932770967 CEST	1.1.1.1	192.168.2.4	0xefd5	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:15.491769075 CEST	1.1.1.1	192.168.2.4	0x8e32	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:15.491769075 CEST	1.1.1.1	192.168.2.4	0x8e32	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:15.491769075 CEST	1.1.1.1	192.168.2.4	0x8e32	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:15.491849899 CEST	1.1.1.1	192.168.2.4	0x43fd	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:15.491849899 CEST	1.1.1.1	192.168.2.4	0x43fd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:15.671247959 CEST	1.1.1.1	192.168.2.4	0x2d17	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:15.680551052 CEST	1.1.1.1	192.168.2.4	0x177e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 26, 2024 06:45:15.892899990 CEST	1.1.1.1	192.168.2.4	0xd4b4	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:16.616863012 CEST	1.1.1.1	192.168.2.4	0x47f0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:16.625324011 CEST	1.1.1.1	192.168.2.4	0xb6b8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:19.256283998 CEST	1.1.1.1	192.168.2.4	0x724d	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:19.256283998 CEST	1.1.1.1	192.168.2.4	0x724d	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:19.256283998 CEST	1.1.1.1	192.168.2.4	0x724d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:19.273752928 CEST	1.1.1.1	192.168.2.4	0x3e1f	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:19.387043953 CEST	1.1.1.1	192.168.2.4	0xd98c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:19.406887054 CEST	1.1.1.1	192.168.2.4	0xb601	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:19.407221079 CEST	1.1.1.1	192.168.2.4	0x1ee2	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:19.407221079 CEST	1.1.1.1	192.168.2.4	0x1ee2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:24.277998924 CEST	1.1.1.1	192.168.2.4	0x12ef	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:24.277998924 CEST	1.1.1.1	192.168.2.4	0x12ef	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:24.288981915 CEST	1.1.1.1	192.168.2.4	0x9958	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:24.449646950 CEST	1.1.1.1	192.168.2.4	0x58fe	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:24.745218039 CEST	1.1.1.1	192.168.2.4	0x494b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.756970882 CEST	1.1.1.1	192.168.2.4	0x54e4	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:29.756970882 CEST	1.1.1.1	192.168.2.4	0x54e4	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:29.757462025 CEST	1.1.1.1	192.168.2.4	0x8993	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.821526051 CEST	1.1.1.1	192.168.2.4	0xe95f	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:30.821526051 CEST	1.1.1.1	192.168.2.4	0xe95f	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.821526051 CEST	1.1.1.1	192.168.2.4	0xe95f	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.821526051 CEST	1.1.1.1	192.168.2.4	0xe95f	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.821526051 CEST	1.1.1.1	192.168.2.4	0xe95f	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824917078 CEST	1.1.1.1	192.168.2.4	0xfc5f	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.824947119 CEST	1.1.1.1	192.168.2.4	0xef58	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.831094027 CEST	1.1.1.1	192.168.2.4	0x92c4	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.831094027 CEST	1.1.1.1	192.168.2.4	0x92c4	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.831094027 CEST	1.1.1.1	192.168.2.4	0x92c4	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.831094027 CEST	1.1.1.1	192.168.2.4	0x92c4	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.834059000 CEST	1.1.1.1	192.168.2.4	0xb246	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 06:45:30.834059000 CEST	1.1.1.1	192.168.2.4	0xb246	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 06:45:30.834059000 CEST	1.1.1.1	192.168.2.4	0xb246	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 06:45:30.834059000 CEST	1.1.1.1	192.168.2.4	0xb246	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 06:45:30.834109068 CEST	1.1.1.1	192.168.2.4	0x97c1	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 26, 2024 06:45:30.841952085 CEST	1.1.1.1	192.168.2.4	0x70e5	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:30.849617004 CEST	1.1.1.1	192.168.2.4	0xcc60	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.115402937 CEST	1.1.1.1	192.168.2.4	0xd961	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:40.115402937 CEST	1.1.1.1	192.168.2.4	0xd961	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.125845909 CEST	1.1.1.1	192.168.2.4	0x8409	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.135941029 CEST	1.1.1.1	192.168.2.4	0x911d	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.135941029 CEST	1.1.1.1	192.168.2.4	0x911d	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.135941029 CEST	1.1.1.1	192.168.2.4	0x911d	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.135941029 CEST	1.1.1.1	192.168.2.4	0x911d	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.149671078 CEST	1.1.1.1	192.168.2.4	0x5255	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.149671078 CEST	1.1.1.1	192.168.2.4	0x5255	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.149671078 CEST	1.1.1.1	192.168.2.4	0x5255	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.149671078 CEST	1.1.1.1	192.168.2.4	0x5255	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.154808044 CEST	1.1.1.1	192.168.2.4	0xddca	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:40.154808044 CEST	1.1.1.1	192.168.2.4	0xddca	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:40.163789988 CEST	1.1.1.1	192.168.2.4	0xf775	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:45:41.467170954 CEST	1.1.1.1	192.168.2.4	0xcec	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:41.467170954 CEST	1.1.1.1	192.168.2.4	0xcec	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:45:56.842286110 CEST	1.1.1.1	192.168.2.4	0xa388	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:46:10.066606045 CEST	1.1.1.1	192.168.2.4	0x47ab	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:46:10.761074066 CEST	1.1.1.1	192.168.2.4	0x61b1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:46:10.761074066 CEST	1.1.1.1	192.168.2.4	0x61b1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:46:37.746589899 CEST	1.1.1.1	192.168.2.4	0x9c6a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 06:46:38.397150993 CEST	1.1.1.1	192.168.2.4	0x4545	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:46:38.397150993 CEST	1.1.1.1	192.168.2.4	0x4545	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	34.107.221.82	80	7080	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 06:45:14.305877924 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:14.893423080 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53336 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49750	34.107.221.82	80	7080	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 06:45:15.650341034 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:16.263492107 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69778 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:16.410871983 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:16.538610935 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69778 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:16.700725079 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:16.832190037 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69778 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:19.379127979 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:19.511845112 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69781 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:23.733545065 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:23.862032890 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69785 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:24.738276005 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:24.866456032 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69786 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:26.375082016 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:26.509772062 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69788 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:27.688589096 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:27.816294909 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69789 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49752	34.107.221.82	80	7080	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 06:45:15.670914888 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:16.280719042 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53338 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:16.411887884 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:16.537338972 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53338 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:17.039896965 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:17.165838003 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53339 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:19.379712105 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:19.505579948 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53341 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:24.289515018 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:24.415016890 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53346 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:26.106353045 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:26.244019985 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53348 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:27.490180016 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:27.616955996 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53349 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:27.688842058 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:27.814596891 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53349 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:36.755485058 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:36.884453058 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53358 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:40.749768972 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:40.877610922 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53362 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:41.427699089 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:41.553524971 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53363 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:41.655791044 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:41.781306982 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53363 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:43.936271906 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:44.061871052 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53366 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:48.184530020 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:48.310344934 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53370 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:45:57.488579988 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:45:57.613971949 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53379 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:46:07.616919994 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:46:10.753336906 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:46:10.878696918 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53392 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:46:20.886178017 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:46:30.899501085 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:46:38.389733076 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 06:46:38.515611887 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 53420 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 06:46:48.535676003 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:46:58.541829109 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:47:08.551902056 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49774	34.107.221.82	80	7080	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 06:45:28.533056974 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:28.657799006 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69790 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:36.903449059 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:37.026449919 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69798 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:40.880649090 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:41.003592014 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69802 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:41.556546926 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:41.680330038 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69803 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:41.784549952 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:41.907748938 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69803 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:44.064132929 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:44.187469006 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69806 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:48.317470074 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:48.440632105 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69810 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:45:57.617187977 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:45:57.740648031 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69819 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:46:07.748656034 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:46:10.903414011 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:46:11.026681900 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69832 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:46:21.033333063 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:46:31.046677113 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:46:38.518929005 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 06:46:38.642904997 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 69860 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 06:46:48.651592970 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:46:58.664443016 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 06:47:08.684684992 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	00:45:04
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x300000
File size:	919'040 bytes
MD5 hash:	C50F8D8CB7A3471EB5472620F856A7FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:45:04
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xed0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:45:04
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xed0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xed0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xed0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xed0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:45:07
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	00:45:08
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0e9e8c-2c71-4c21-bbc2-599cb7b02975} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12e8cb6ed10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	00:45:10
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4140 -prefMapHandle 4136 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f7c976-22af-47d7-aeed-3e85c38de67b} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12e8cb7fb10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	00:45:18
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3832 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5076 -prefMapHandle 5292 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef3bc804-8237-494b-b935-3660cdebc83d} 7080 "\\.\pipe\gecko-crash-server-pipe.7080" 12eab15e510 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	1552
Total number of Limit Nodes:	55

Executed Functions

Function 003042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0030430D

Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A

GetCurrentProcess.KERNEL32(?,0039CB64,00000000,?,?), ref: 00304422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00304429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00304454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00304466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00304474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0030447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003044A0

Strings

kernel32.dll, xrefs: 0030444F
GetNativeSystemInfo, xrefs: 00304460
|O, xrefs: 003436F8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 20dab3c4e4a7592bb4b1d5febc87d0461299af23feb330dc254b865c5905fc98
Instruction ID: 9f79fccb25e1cd2ca05e861d8f17e7152ab6706b9e6b5dad83ea34139019f6ed
Opcode Fuzzy Hash: 20dab3c4e4a7592bb4b1d5febc87d0461299af23feb330dc254b865c5905fc98
Instruction Fuzzy Hash: 05A186ADA1B2C0FFC713C76EBC811957FEDBB26340F19549BE18197A62D2345A04CB25

Function 003042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003050AA,?,?,00000000,00000000), ref: 003042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003050AA,?,?,00000000,00000000), ref: 003042C9
LoadResource.KERNEL32(?,00000000,?,?,003050AA,?,?,00000000,00000000,?,?,?,?,?,?,00304F20), ref: 003435BE
SizeofResource.KERNEL32(?,00000000,?,?,003050AA,?,?,00000000,00000000,?,?,?,?,?,?,00304F20), ref: 003435D3
LockResource.KERNEL32(003050AA,?,?,003050AA,?,?,00000000,00000000,?,?,?,?,?,?,00304F20,?), ref: 003435E6

Strings

SCRIPT, xrefs: 003042BF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 69c8dd67e94da93d2d47366b2d9051d0f144f09930bb37fc0239947bd5b00d35
Instruction ID: 7cc1b8ea17f35450bbc447ed3a65394a4b5347e1b95b6d77c7b3d8d96cadeee7
Opcode Fuzzy Hash: 69c8dd67e94da93d2d47366b2d9051d0f144f09930bb37fc0239947bd5b00d35
Instruction Fuzzy Hash: 54117CB0201701BFDB228B65DC48F677BBDEBC5B51F10496AF502D6290DB72E900C630

Function 00342BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00302B6B

Part of subcall function 00303A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003D1418,?,00302E7F,?,?,?,00000000), ref: 00303A78

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,003C2224), ref: 00342C10
ShellExecuteW.SHELL32(00000000,?,?,003C2224), ref: 00342C17

Strings

runas, xrefs: 00342C0B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: e470bd2d7249707219ffa4c24b3c5e5d63ec02f0bb2ae2ec7d338dd396be626f
Instruction ID: 5d97d0728f9cbbcef2945227e851e4958a23b9f10ed2bdca779e02bf4e96d41d
Opcode Fuzzy Hash: e470bd2d7249707219ffa4c24b3c5e5d63ec02f0bb2ae2ec7d338dd396be626f
Instruction Fuzzy Hash: C111AF3120A2416BC717FF60E8B6ABF77A89B91740F44546EF1825A1E3CF219A498752

Function 0036D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0036D501
Process32FirstW.KERNEL32(00000000,?), ref: 0036D50F
Process32NextW.KERNEL32(00000000,?), ref: 0036D52F
CloseHandle.KERNELBASE(00000000), ref: 0036D5DC

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0c01579d638a83e11908de43bc6c32acf1654d5e20b9b27aa0e4f7060e2ef942
Instruction ID: a0ebf017322b86793bf5702213da037e111a694473ca7b3703aba5fc2805a7a2
Opcode Fuzzy Hash: 0c01579d638a83e11908de43bc6c32acf1654d5e20b9b27aa0e4f7060e2ef942
Instruction Fuzzy Hash: 9931B8715083009FD306EF54C891AAFBBF8EF99354F14452DF582871A2EB719944CB92

Function 0036DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00345222), ref: 0036DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0036DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0036DBEE
FindClose.KERNEL32(00000000), ref: 0036DBFA

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: b2751edc09d02f37c161f8a87cdba396cfcb69d102ecead2d93d616ca10aee36
Instruction ID: 2e81c32f7ca7412d5b9f59a4a1af9e3425b9c41fe9fe30f1d88947650f10158f
Opcode Fuzzy Hash: b2751edc09d02f37c161f8a87cdba396cfcb69d102ecead2d93d616ca10aee36
Instruction Fuzzy Hash: 8EF0E530C2091857C222AB7CBC0D8AA376C9E01334F508B03F876C20F4EBB25D94C6D9

Function 00324CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003328E9,?,00324CBE,003328E9,003C88B8,0000000C,00324E15,003328E9,00000002,00000000,?,003328E9), ref: 00324D09
TerminateProcess.KERNEL32(00000000,?,00324CBE,003328E9,003C88B8,0000000C,00324E15,003328E9,00000002,00000000,?,003328E9), ref: 00324D10
ExitProcess.KERNEL32 ref: 00324D22

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 623e340410d4615f4ee50cb22c8e290b559a8eba09867bc1b1edb1b8e94c9602
Instruction ID: 6dc12c0c03ac6f601723375809cce8bbb1629a483de5bced112a0d9acc6d50e8
Opcode Fuzzy Hash: 623e340410d4615f4ee50cb22c8e290b559a8eba09867bc1b1edb1b8e94c9602
Instruction Fuzzy Hash: DBE0B635010158AFCF13AF54EE4AA583B6DEB41B81F118015FC098B123CB3ADD42CA90

Function 0030BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#=, xrefs: 003507CE

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#=
API String ID: 3964851224-1299286578
Opcode ID: ccce927fac86fb8b1ad0ba0f1acb8cc32807d28366bf0c4843d929df90a72be0
Instruction ID: 7b3e78d209a57b95f6eeeddfb51d1eb92b7b53aff06718ef2d9c1ac4049db8e2
Opcode Fuzzy Hash: ccce927fac86fb8b1ad0ba0f1acb8cc32807d28366bf0c4843d929df90a72be0
Instruction Fuzzy Hash: 1DA28B70619341CFC726CF18C490B6AB7E5BF89304F15996DE88A8B3A2D771EC45CB92

Function 0038AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0038B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0038B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0038B1D4
_wcslen.LIBCMT ref: 0038B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0038B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0038B236
_wcslen.LIBCMT ref: 0038B332

Part of subcall function 003705A7: GetStdHandle.KERNEL32(000000F6), ref: 003705C6

_wcslen.LIBCMT ref: 0038B34B
_wcslen.LIBCMT ref: 0038B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0038B3B6
GetLastError.KERNEL32(00000000), ref: 0038B407
CloseHandle.KERNEL32(?), ref: 0038B439
CloseHandle.KERNEL32(00000000), ref: 0038B44A
CloseHandle.KERNEL32(00000000), ref: 0038B45C
CloseHandle.KERNEL32(00000000), ref: 0038B46E
CloseHandle.KERNEL32(?), ref: 0038B4E3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: d20c3d9ba29151b15b8cab3266bb12e9f9a0b16a485f18b164c34f74834dfc71
Instruction ID: 1b77b0adf61e4f834a1b94f1b05fa812b7f64031f617bdd7d2d3995ea04f8e40
Opcode Fuzzy Hash: d20c3d9ba29151b15b8cab3266bb12e9f9a0b16a485f18b164c34f74834dfc71
Instruction Fuzzy Hash: FCF19E715083019FCB16EF24C891B6EBBE5AF85314F19899DF4999F2A2CB31EC41CB52

Function 0030D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0030D807
timeGetTime.WINMM ref: 0030DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0030DB28
TranslateMessage.USER32(?), ref: 0030DB7B
DispatchMessageW.USER32(?), ref: 0030DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0030DB9F
Sleep.KERNELBASE(0000000A), ref: 0030DBB1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: f998bbdc8b3bdb62760bf75061481ca27b5b60de51ad1b039a71f168e829fd22
Instruction ID: 32b0e07155c847b09a072b0bfb97ab4d60ae4d73c7b9fe70f465922bcf47a354
Opcode Fuzzy Hash: f998bbdc8b3bdb62760bf75061481ca27b5b60de51ad1b039a71f168e829fd22
Instruction Fuzzy Hash: F242E230609341EFD72BCF64C864FAAB7E8BF46300F15851AE8558B2E1D771E848CB92

Function 00302CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00302D07
RegisterClassExW.USER32(00000030), ref: 00302D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00302D42
InitCommonControlsEx.COMCTL32(?), ref: 00302D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00302D6F
LoadIconW.USER32(000000A9), ref: 00302D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00302D94

Strings

AutoIt v3 GUI, xrefs: 00302D23
0, xrefs: 00302CE9
+, xrefs: 00302CF0
TaskbarCreated, xrefs: 00302D37

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cba9b11984740de75a69db612293044041ff85f5cbaf260370077a89eb1eeb31
Instruction ID: 9a620dbe737b9191a74d6c4ba6456c444b15f5f05ff327341e694a22f02fe356
Opcode Fuzzy Hash: cba9b11984740de75a69db612293044041ff85f5cbaf260370077a89eb1eeb31
Instruction Fuzzy Hash: 3021C3B5922218AFEB02DFA4EC59BDDBBB8FB08700F00511BF511A62A0D7B24544CF91

Function 0034065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0034039A: CreateFileW.KERNELBASE(00000000,00000000,?,00340704,?,?,00000000,?,00340704,00000000,0000000C), ref: 003403B7

GetLastError.KERNEL32 ref: 0034076F
__dosmaperr.LIBCMT ref: 00340776
GetFileType.KERNELBASE(00000000), ref: 00340782
GetLastError.KERNEL32 ref: 0034078C
__dosmaperr.LIBCMT ref: 00340795
CloseHandle.KERNEL32(00000000), ref: 003407B5
CloseHandle.KERNEL32(?), ref: 003408FF
GetLastError.KERNEL32 ref: 00340931
__dosmaperr.LIBCMT ref: 00340938

Strings

H, xrefs: 003408BD

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 49794579435ed7e79b91136c4f6844cbcd8567d678cce5b3ae3e899668fb7734
Instruction ID: 5c73986c389387c2d7e7752e2f441eada2ecf6ea87afcabd9fd2db7fb2b07517
Opcode Fuzzy Hash: 49794579435ed7e79b91136c4f6844cbcd8567d678cce5b3ae3e899668fb7734
Instruction Fuzzy Hash: 2EA13636A001148FDF1EAF68D891BAE7BF4EB06320F25015AF911AF291D735AC12CB91

Function 0030344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00303A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003D1418,?,00302E7F,?,?,?,00000000), ref: 00303A78

Part of subcall function 00303357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00303379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0030356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0034318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003431CE
RegCloseKey.ADVAPI32(?), ref: 00343210
_wcslen.LIBCMT ref: 00343277
_wcslen.LIBCMT ref: 00343286

Strings

\Include\, xrefs: 00303527
Include, xrefs: 00343184, 003431C5
Software\AutoIt v3\AutoIt, xrefs: 00303560
\, xrefs: 0034328C

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d65c2cfe7238825e5a75904295b09101425018408bd55bc3d7d6dfdd6e5e2a3c
Instruction ID: d0df0728064028b63a85b68b57d28fe9f2a384ffbffd028bcbb3dc487e80f21b
Opcode Fuzzy Hash: d65c2cfe7238825e5a75904295b09101425018408bd55bc3d7d6dfdd6e5e2a3c
Instruction Fuzzy Hash: 59719E755063019FC706EF65EC929ABBBECFFA5340F40092EF5458B2A1DB709A48CB61

Function 00302B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00302B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00302B9D
LoadIconW.USER32(00000063), ref: 00302BB3
LoadIconW.USER32(000000A4), ref: 00302BC5
LoadIconW.USER32(000000A2), ref: 00302BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00302BEF
RegisterClassExW.USER32(?), ref: 00302C40

Part of subcall function 00302CD4: GetSysColorBrush.USER32(0000000F), ref: 00302D07
Part of subcall function 00302CD4: RegisterClassExW.USER32(00000030), ref: 00302D31
Part of subcall function 00302CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00302D42
Part of subcall function 00302CD4: InitCommonControlsEx.COMCTL32(?), ref: 00302D5F
Part of subcall function 00302CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00302D6F
Part of subcall function 00302CD4: LoadIconW.USER32(000000A9), ref: 00302D85
Part of subcall function 00302CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00302D94

Strings

AutoIt v3, xrefs: 00302C2F
0, xrefs: 00302C0F
#, xrefs: 00302C16

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1c4cebb51eafbf5d8171e6591eb9b023f6369b3497ebc79ba696f513e323f407
Instruction ID: 2b78cc67b0da61fdcd26854da251c318b96c98f542c8104e62e27d69c6b6bc57
Opcode Fuzzy Hash: 1c4cebb51eafbf5d8171e6591eb9b023f6369b3497ebc79ba696f513e323f407
Instruction Fuzzy Hash: A2211A78E12314BFDB129FE5FC55A997FB8FB48B50F40011BE504A66A0D7B10540CF90

Function 00303170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0030316A,?,?), ref: 003031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0030316A,?,?), ref: 00303204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00303227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0030316A,?,?), ref: 00303232
CreatePopupMenu.USER32 ref: 00303246
PostQuitMessage.USER32(00000000), ref: 00303267

Strings

TaskbarCreated, xrefs: 0030322D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7c1c88e939e748f434ffa9afd181adf29e445af295f336efe3647175fb7d9103
Instruction ID: 51198d54bafafe20587e4612478c01d5c8fccbee6ab5cc29a7ce3839cd081e85
Opcode Fuzzy Hash: 7c1c88e939e748f434ffa9afd181adf29e445af295f336efe3647175fb7d9103
Instruction Fuzzy Hash: A3413B39256200BBDB1B6BBCEC3DB7A375DEB0A340F041517F5129A6E1C771DA8097A1

Function 00301410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00301459
CoUninitialize.COMBASE ref: 003014F8
UnregisterHotKey.USER32(?), ref: 003016DD
DestroyWindow.USER32(?), ref: 003424B9
FreeLibrary.KERNEL32(?), ref: 0034251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0034254B

Strings

close all, xrefs: 00301454

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9197db6d48222ea6d38e8eadca584d84a1425ec7e2b383f19e7aaf83517efb54
Instruction ID: 6438b4563b4b6a02c19bfefe75abe6178c07abf9c42196d2abc614210548d2bb
Opcode Fuzzy Hash: 9197db6d48222ea6d38e8eadca584d84a1425ec7e2b383f19e7aaf83517efb54
Instruction Fuzzy Hash: 1BD15D31702212CFCB2BEF15C8A5A6AF7A4BF05700F55419DE84A6F2A2DB31AD52CF51

Function 00302C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00302C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00302CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00301CAD,?), ref: 00302CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00301CAD,?), ref: 00302CCF

Strings

edit, xrefs: 00302CAC
AutoIt v3, xrefs: 00302C89, 00302C8E, 00302C8F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a7120b1572f6be29b0da48ed5530d180ba215369d55ed335f7c408c5e6950f67
Instruction ID: 225f7c9633c2023b1225fe9ba97df71f327b23012d3aa8662c113030c0bf98c9
Opcode Fuzzy Hash: a7120b1572f6be29b0da48ed5530d180ba215369d55ed335f7c408c5e6950f67
Instruction Fuzzy Hash: B8F0D4796512907BEB331B27BC08EB72FBDD7CAF60F00105BF904A25A0C6B21850DAB0

Function 00303B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00303B0F,SwapMouseButtons,00000004,?), ref: 00303B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00303B0F,SwapMouseButtons,00000004,?), ref: 00303B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00303B0F,SwapMouseButtons,00000004,?), ref: 00303B83

Strings

Control Panel\Mouse, xrefs: 00303B3E

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6ea0db19f57f6c26d533c823129111118889745d9c7d03d076f1d4bcdd3c34bf
Instruction ID: 71be5a203ac25038ed11627d6cfd61507ce7f54ef9d6a227f714538e50548621
Opcode Fuzzy Hash: 6ea0db19f57f6c26d533c823129111118889745d9c7d03d076f1d4bcdd3c34bf
Instruction Fuzzy Hash: 0B112AB5521208FFDB228FA5DC95AAFBBBCEF04748F11445AA805D7250D231DE449760

Function 00303923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003433A2

Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00303A04

Strings

Line: , xrefs: 003433EB

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 617188ba89b6cc93ce877cd2e102c1af99217ddbd2acb7d0b2dcbdcb64d4a5ec
Instruction ID: 8a6263a5fdccb514fc666119560867d349efff03fe557d0cff49d2d6f9c42e0c
Opcode Fuzzy Hash: 617188ba89b6cc93ce877cd2e102c1af99217ddbd2acb7d0b2dcbdcb64d4a5ec
Instruction Fuzzy Hash: 6631A27151A300ABD727EB24EC66BEBB7DCAB40710F00492BF599971D1DB709A49C7C2

Function 00302DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00342C8C

Part of subcall function 00303AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00303A97,?,?,00302E7F,?,?,?,00000000), ref: 00303AC2

Part of subcall function 00302DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00302DC4

Strings

`e<, xrefs: 00342C85
X, xrefs: 00342C5A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e<
API String ID: 779396738-2653119291
Opcode ID: f53101c648e109f418340a2d9acbcceeeb92fd3ca507ddccbd2f653cf9a514d1
Instruction ID: 0735675debd9cad9388f9dee973c64f9ba0edaf1489a5ab82ba1842aae1f7e65
Opcode Fuzzy Hash: f53101c648e109f418340a2d9acbcceeeb92fd3ca507ddccbd2f653cf9a514d1
Instruction Fuzzy Hash: A321C670A002589BCB02DF94C859BDE7BFC9F49304F00405AE405FB281DBB49A89CF61

Function 0031FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00320668

Part of subcall function 003232A4: RaiseException.KERNEL32(?,?,?,0032068A,?,003D1444,?,?,?,?,?,?,0032068A,00301129,003C8738,00301129), ref: 00323304

__CxxThrowException@8.LIBVCRUNTIME ref: 00320685

Strings

Unknown exception, xrefs: 00320692

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1e5f94120deb7ad48c28211cd3f6c8ccaefacf240dc891bb7f37018f138d1b14
Instruction ID: 45f4e198a85fbf4aa0a938f59f596b844e0c7dce456c02943ed249deac345b54
Opcode Fuzzy Hash: 1e5f94120deb7ad48c28211cd3f6c8ccaefacf240dc891bb7f37018f138d1b14
Instruction Fuzzy Hash: 6CF0AF3490021DABCB0AB7A4F846DAE7B6C9E00310B604535B914DA996EF71DB698680

Function 003010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00301BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00301BF4
Part of subcall function 00301BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00301BFC
Part of subcall function 00301BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00301C07
Part of subcall function 00301BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00301C12
Part of subcall function 00301BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00301C1A
Part of subcall function 00301BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00301C22

Part of subcall function 00301B4A: RegisterWindowMessageW.USER32(00000004,?,003012C4), ref: 00301BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0030136A
OleInitialize.OLE32 ref: 00301388
CloseHandle.KERNEL32(00000000,00000000), ref: 003424AB

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 80c40edd0faf4572f115f1f53f04b4f1f0229cd09df03e5790134f92cc2d10a2
Instruction ID: 2e370e4e3f060b330da69a5ac674c16e5521e059bfb96918d44d0fce141385d9
Opcode Fuzzy Hash: 80c40edd0faf4572f115f1f53f04b4f1f0229cd09df03e5790134f92cc2d10a2
Instruction Fuzzy Hash: 0571B2B9A13204AFC787DFB9B9556553BFABB8A344B44426BD40AC73A2E7384444CF40

Function 0036C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00303923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00303A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0036C259
KillTimer.USER32(?,00000001,?,?), ref: 0036C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0036C270

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: a53edaa156dcea7796f66513e958afdb575fe73e3a19194de5b5942127fa86ec
Instruction ID: 5881b9361c7d905aa758bf2702755528ef7bd53c2355f8e7bf53b611eb4470fd
Opcode Fuzzy Hash: a53edaa156dcea7796f66513e958afdb575fe73e3a19194de5b5942127fa86ec
Instruction Fuzzy Hash: 7331C370914344AFEF238F6488A5BE7BBEC9F06304F00549AD6DA97246C3745A84CB51

Function 003386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,003385CC,?,003C8CC8,0000000C), ref: 00338704
GetLastError.KERNEL32(?,003385CC,?,003C8CC8,0000000C), ref: 0033870E
__dosmaperr.LIBCMT ref: 00338739

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: aa8816db35906bd62fdeae052fd483ddc41b8383149647b935d244bb01ba9d2e
Instruction ID: aaaf36d9cbbc838d41a41df3f9a09c44b0b1b09fed5c6ecb1a237e553cbe6201
Opcode Fuzzy Hash: aa8816db35906bd62fdeae052fd483ddc41b8383149647b935d244bb01ba9d2e
Instruction Fuzzy Hash: A5014E3670572017D677633469C777E675D4B82774F3A021AF9159F1D2DEA1CC818150

Function 0030DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0030DB7B
DispatchMessageW.USER32(?), ref: 0030DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0030DB9F
Sleep.KERNELBASE(0000000A), ref: 0030DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00351CC9

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 779f1ec6650e5784955195539957ca97aa3ad7186d3e0348d5bfe2375ec59582
Instruction ID: 1ca544f9f581b42123404c42e3e4d5c2b350a4521f7abd7fd80d82afb906eab3
Opcode Fuzzy Hash: 779f1ec6650e5784955195539957ca97aa3ad7186d3e0348d5bfe2375ec59582
Instruction Fuzzy Hash: 29F05E316053809BE732CBA09C99FEA73ACEB85311F11461AEA5A830D0DB319488DB25

Function 00311310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003117F6

Strings

CALL, xrefs: 003117C6

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 75ff15e3343485f6154db88e2321d8a477c41063499c45581c3ca6d4d1f36160
Instruction ID: d886459ff492a02c0159dd651565c51c0b8c118e32b069d7823250b427247939
Opcode Fuzzy Hash: 75ff15e3343485f6154db88e2321d8a477c41063499c45581c3ca6d4d1f36160
Instruction Fuzzy Hash: 8C22AC706083019FC71ADF14C491BAABBF6BF89314F14891DF9968B3A1D731E885CB92

Function 00303837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00303908

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f3263ab25d59eba275e88e4128787194274e0ada2ec7822fc5192145a10860dc
Instruction ID: 74ffcc0359fe4838912dd7af9cfc8028782bf5be505237f4c1a0d7f979b7325c
Opcode Fuzzy Hash: f3263ab25d59eba275e88e4128787194274e0ada2ec7822fc5192145a10860dc
Instruction Fuzzy Hash: FD31C1746063019FD322DF24E894797BBECFB49308F00096EF59987280E7B1AA48CB52

Function 0031F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0031F661

Part of subcall function 0030D730: GetInputState.USER32 ref: 0030D807

Sleep.KERNEL32(00000000), ref: 0035F2DE

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 4a464317c60a69c07e225ddde1d33a447629277710373e9bc9807b0236350c30
Instruction ID: e78ace7d2e8ea5b9f3b602261c510e979107ce219516fbe4296905c39d613e48
Opcode Fuzzy Hash: 4a464317c60a69c07e225ddde1d33a447629277710373e9bc9807b0236350c30
Instruction Fuzzy Hash: 24F08C312402059FD315EF69D859B6AF7E8FF4A761F00006AE85DCB3A0DB70AC00CB90

Function 00304ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00304E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00304EDD,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E9C
Part of subcall function 00304E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00304EAE
Part of subcall function 00304E90: FreeLibrary.KERNEL32(00000000,?,?,00304EDD,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304EFD

Part of subcall function 00304E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00343CDE,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E62
Part of subcall function 00304E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00304E74
Part of subcall function 00304E59: FreeLibrary.KERNEL32(00000000,?,?,00343CDE,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E87

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e474f451956be1a059b76c3e6b5557bbd9283dc87737b6d9716652acab871f47
Instruction ID: 041b2c47c0aa5b0ea4892b252f890c162a64d1eff26591564087ec296ca8587c
Opcode Fuzzy Hash: e474f451956be1a059b76c3e6b5557bbd9283dc87737b6d9716652acab871f47
Instruction Fuzzy Hash: B2112771611206ABCF16BB60DC22FAD77A49F40711F10842DF642AF1C1EEB0AF049B54

Function 00338402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00338440

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 025d79265258d2e92648c429aa9bf7c8b5452f4161876f5bb74a3fb2d7a2cb13
Instruction ID: 7821dba44bcc771353cdc41f318e548e60bdbb4d6a5490fb17b340b7e21b6353
Opcode Fuzzy Hash: 025d79265258d2e92648c429aa9bf7c8b5452f4161876f5bb74a3fb2d7a2cb13
Instruction Fuzzy Hash: 96112A7590420AAFCF1ADF59E98199E7BF9EF48314F114059FC08AB312DB31EA11CBA5

Function 00335000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00334C7D: RtlAllocateHeap.NTDLL(00000008,00301129,00000000,?,00332E29,00000001,00000364,?,?,?,0032F2DE,00333863,003D1444,?,0031FDF5,?), ref: 00334CBE

_free.LIBCMT ref: 0033506C

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: b390dc197e7b050c9a68e8737b582ee10b58dd61199ede0e138cd78ef2416b78
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 500149B22047046BE3368F65D8C1A9AFBECFB89370F25051DE184872C0EB31A805C7B4

Function 0032E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 0aa66c70e7a8dce3ffc8df515c3d724c40040097a526ba5b41e3905ed70fe839
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2FF02832510B30ABC7333B69BC06B5B339C9F52331F110725F4209B1D2DB78E80186A5

Function 00334C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00301129,00000000,?,00332E29,00000001,00000364,?,?,?,0032F2DE,00333863,003D1444,?,0031FDF5,?), ref: 00334CBE

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4547c4d31832d2cd71452fb347448c0f19fc82f9f438297f0dac26b904017dca
Instruction ID: 3ad35df8dc268cb1a8b30597aea0fc431a7f469e3af3fb2f917d74e5c62cd795
Opcode Fuzzy Hash: 4547c4d31832d2cd71452fb347448c0f19fc82f9f438297f0dac26b904017dca
Instruction Fuzzy Hash: 50F0E93160323477DB235F62AC45B5A378CFF41BA0F169122F815AA191CA70FC0147E0

Function 00333820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b3ad1c708806588f1327377797e360ca9cfe328aec0306e6813f2bef8b6a75f
Instruction ID: e405e4774d795b154338020c53ac079e2f4636073abb88709ccb8a52cb951cc3
Opcode Fuzzy Hash: 6b3ad1c708806588f1327377797e360ca9cfe328aec0306e6813f2bef8b6a75f
Instruction Fuzzy Hash: 49E0E535101234A6E7232A66AC40B9A374CAF427B0F068021BC049E8A0CB11DD0582E5

Function 00304F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304F6D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: da8cbcec54772451c622caa2a559a311e2b79f067d3947617d69fbbe53598054
Instruction ID: b466feeae78cfb29fc3b705a89cc311f170401171695f3b10d9496bf8e1f880b
Opcode Fuzzy Hash: da8cbcec54772451c622caa2a559a311e2b79f067d3947617d69fbbe53598054
Instruction Fuzzy Hash: CDF030B1106752CFDB369F64E4A0822B7E4EF14319311897EE3DA82951C7319944DF10

Function 00392A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00392A66

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 8c85a5ff83e800784435a44c6ea631d663090183e6610e9530a02193cbd0fb6c
Instruction ID: d4b70e50665fe92de3b69bfd70cb9268508541736fee51616c6c9916018f0b5a
Opcode Fuzzy Hash: 8c85a5ff83e800784435a44c6ea631d663090183e6610e9530a02193cbd0fb6c
Instruction Fuzzy Hash: 65E04F77754516BACB26EB30DC809FB735CEB61395B108536AC1AC6500DF34999586A0

Function 003030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0030314E

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8288c2f032201f04dbb4ed1520e9aeb1aded22885add5ea211d82ef97bc273e2
Instruction ID: 23e3ce6cebeb4ba9bc42b68bd987738b2628d4b1c0f42aaf49cf241c472fa4b9
Opcode Fuzzy Hash: 8288c2f032201f04dbb4ed1520e9aeb1aded22885add5ea211d82ef97bc273e2
Instruction Fuzzy Hash: DBF03774A15314AFE753DB24EC457D67BBCAB05708F0000E6A64896291D7745788CF51

Function 00302DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00302DC4

Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1c6951574c93f276bff6187933c7a5b311f57d789c20d5334ff0f2d03cddbcce
Instruction ID: f2b9ff4c6978499c7ea764d002c535f51f6b2a4d9c1fa5044ede46ac80ffff74
Opcode Fuzzy Hash: 1c6951574c93f276bff6187933c7a5b311f57d789c20d5334ff0f2d03cddbcce
Instruction Fuzzy Hash: FAE0CD726001245BCB11D7589C06FDA77DDDFC8790F040171FD09DB24CD960AD848550

Function 00302B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00303837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00303908

Part of subcall function 0030D730: GetInputState.USER32 ref: 0030D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00302B6B

Part of subcall function 003030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0030314E

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f91a97a3d8a3f9d342632bab4c05cd37fa7bd68bf428e12b9b9771ae5a859a32
Instruction ID: fbb78e761881dc1ea425a17b0109ce76cfb99e977826bb81c76bf0c2cebdb3ae
Opcode Fuzzy Hash: f91a97a3d8a3f9d342632bab4c05cd37fa7bd68bf428e12b9b9771ae5a859a32
Instruction Fuzzy Hash: D7E07D2230320417C607BB75A87257EB36D8BD1311F40153FF1434B2E3CF2445494312

Function 0034039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00340704,?,?,00000000,?,00340704,00000000,0000000C), ref: 003403B7

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4f54c3e838f68a22df99bcce4ccbd82ff2db422fab7e5328ea3c88127ccc7fe6
Instruction ID: 829cd73ea5c1005744cafb41a51275fc3909e73c3d1a87e37271e5c2f6e361fb
Opcode Fuzzy Hash: 4f54c3e838f68a22df99bcce4ccbd82ff2db422fab7e5328ea3c88127ccc7fe6
Instruction Fuzzy Hash: 5CD06C3205010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E821AB94

Function 00301CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00301CBC

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 51b3903a2685b2dc83a10b71f98c091d9f8e2a36ec96b5197a8410a9dfda6fbf
Instruction ID: 6e21bda2b469ad4ca4823125080d92cc5ea064801dda8065be97fd96c15b88a1
Opcode Fuzzy Hash: 51b3903a2685b2dc83a10b71f98c091d9f8e2a36ec96b5197a8410a9dfda6fbf
Instruction Fuzzy Hash: 1EC0923A281304AFF3178B85BC4AF11B76DA359B00F448003F609A95E3C3A22820EA50

Non-executed Functions

Function 00399576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0039961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0039965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0039969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003996C9
SendMessageW.USER32 ref: 003996F2
GetKeyState.USER32(00000011), ref: 0039978B
GetKeyState.USER32(00000009), ref: 00399798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003997AE
GetKeyState.USER32(00000010), ref: 003997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003997E9
SendMessageW.USER32 ref: 00399810
SendMessageW.USER32(?,00001030,?,00397E95), ref: 00399918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0039992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00399941
SetCapture.USER32(?), ref: 0039994A
ClientToScreen.USER32(?,?), ref: 003999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003999D6
ReleaseCapture.USER32 ref: 003999E1
GetCursorPos.USER32(?), ref: 00399A19
ScreenToClient.USER32(?,?), ref: 00399A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00399A80
SendMessageW.USER32 ref: 00399AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00399AEB
SendMessageW.USER32 ref: 00399B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00399B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00399B4A
GetCursorPos.USER32(?), ref: 00399B68
ScreenToClient.USER32(?,?), ref: 00399B75
GetParent.USER32(?), ref: 00399B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00399BFA
SendMessageW.USER32 ref: 00399C2B
ClientToScreen.USER32(?,?), ref: 00399C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00399CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00399CDE
SendMessageW.USER32 ref: 00399D01
ClientToScreen.USER32(?,?), ref: 00399D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00399D82

Part of subcall function 00319944: GetWindowLongW.USER32(?,000000EB), ref: 00319952

GetWindowLongW.USER32(?,000000F0), ref: 00399E05

Strings

@GUI_DRAGID, xrefs: 0039997D
F, xrefs: 00399D07
p#=, xrefs: 00399990

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#=
API String ID: 3429851547-3009530268
Opcode ID: 09cba40717f7b5303bb3cae2ebd0a6e3b6c96c1520bd62fc3d428ff720ed5399
Instruction ID: 7603bdf815d25ebe59cd5f9850c976f10ad63670c0ca4ac298d0f4e240ee4ab2
Opcode Fuzzy Hash: 09cba40717f7b5303bb3cae2ebd0a6e3b6c96c1520bd62fc3d428ff720ed5399
Instruction Fuzzy Hash: BC428D35604241AFDB26CF68CC54BAABBE9FF49320F15061EF699872A1D731E890CF51

Function 00394873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00394908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00394927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0039494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0039495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0039497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00394A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00394A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00394A7E
IsMenu.USER32(?), ref: 00394A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00394AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00394B20
GetWindowLongW.USER32(?,000000F0), ref: 00394B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00394BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00394C82
wsprintfW.USER32 ref: 00394CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00394CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00394CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00394D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00394D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00394D5A

Strings

%d/%02d/%02d, xrefs: 00394CA8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: be6bb8f74827f192a7c29feebc0bb4fbe20424408c09b4654240b23685bb7296
Instruction ID: e37b3c322e8352a95d35950296d033616e50eb554f5b0fda58b6fa8068808188
Opcode Fuzzy Hash: be6bb8f74827f192a7c29feebc0bb4fbe20424408c09b4654240b23685bb7296
Instruction Fuzzy Hash: D712D071600215ABEF269F28CC49FAEBBF8EF45710F14412AF516EB2E1DB749942CB50

Function 0031F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0031F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0035F474
IsIconic.USER32(00000000), ref: 0035F47D
ShowWindow.USER32(00000000,00000009), ref: 0035F48A
SetForegroundWindow.USER32(00000000), ref: 0035F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0035F4AA
GetCurrentThreadId.KERNEL32 ref: 0035F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0035F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0035F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0035F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0035F4DE
SetForegroundWindow.USER32(00000000), ref: 0035F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0035F4F6
keybd_event.USER32(00000012,00000000), ref: 0035F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0035F50B
keybd_event.USER32(00000012,00000000), ref: 0035F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0035F519
keybd_event.USER32(00000012,00000000), ref: 0035F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0035F528
keybd_event.USER32(00000012,00000000), ref: 0035F52D
SetForegroundWindow.USER32(00000000), ref: 0035F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0035F557

Strings

Shell_TrayWnd, xrefs: 0035F46F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 070065ad943dc3b25039968d2be3d94687a8b36de25ee0aef52d7b56e7d77eb4
Instruction ID: a458985fa159b406baf1161bb7f50cd9358e2429c29c4f2141ca545afed06f73
Opcode Fuzzy Hash: 070065ad943dc3b25039968d2be3d94687a8b36de25ee0aef52d7b56e7d77eb4
Instruction Fuzzy Hash: 6431A771A50318BFEB226BB65C4AFBF7E6CEB45B50F111426FA00E71D1D7B15D00AAA0

Function 00361201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0036170D
Part of subcall function 003616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0036173A
Part of subcall function 003616C3: GetLastError.KERNEL32 ref: 0036174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00361286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003612A8
CloseHandle.KERNEL32(?), ref: 003612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003612D1
GetProcessWindowStation.USER32 ref: 003612EA
SetProcessWindowStation.USER32(00000000), ref: 003612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00361310

Part of subcall function 003610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003611FC), ref: 003610D4
Part of subcall function 003610BF: CloseHandle.KERNEL32(?,?,003611FC), ref: 003610E9

Strings

, xrefs: 0036125A
winsta0, xrefs: 003612CC
Z<, xrefs: 00361392
default, xrefs: 0036130B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z<
API String ID: 22674027-3701828379
Opcode ID: ee6439fbbfae01be3bcdfd9b9a653d52ce18184ec879bdf473c3282c8ac0f74b
Instruction ID: 4e0a83b68863ca5839cb7c2ca4dc5b33af83a729b40062236898193f361cf30d
Opcode Fuzzy Hash: ee6439fbbfae01be3bcdfd9b9a653d52ce18184ec879bdf473c3282c8ac0f74b
Instruction Fuzzy Hash: D081AD71900209AFDF239FA5DC49FEE7BBDEF04704F18812AF910A62A4DB718944CB21

Function 00360B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00361114
Part of subcall function 003610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361120
Part of subcall function 003610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 0036112F
Part of subcall function 003610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361136
Part of subcall function 003610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0036114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00360BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00360C00
GetLengthSid.ADVAPI32(?), ref: 00360C17
GetAce.ADVAPI32(?,00000000,?), ref: 00360C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00360C6D
GetLengthSid.ADVAPI32(?), ref: 00360C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00360C8C
HeapAlloc.KERNEL32(00000000), ref: 00360C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00360CB4
CopySid.ADVAPI32(00000000), ref: 00360CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00360CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00360D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00360D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360D45
HeapFree.KERNEL32(00000000), ref: 00360D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360D55
HeapFree.KERNEL32(00000000), ref: 00360D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360D65
HeapFree.KERNEL32(00000000), ref: 00360D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00360D78
HeapFree.KERNEL32(00000000), ref: 00360D7F

Part of subcall function 00361193: GetProcessHeap.KERNEL32(00000008,00360BB1,?,00000000,?,00360BB1,?), ref: 003611A1
Part of subcall function 00361193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00360BB1,?), ref: 003611A8
Part of subcall function 00361193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00360BB1,?), ref: 003611B7

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 893bc45de6c1a33874ac3393caeb40bfbef4ca6d290075985867ea59c8937fb8
Instruction ID: 7ffa20970d75c379b84f240480246657fcf8dc028e66e0bfe6410466274b6277
Opcode Fuzzy Hash: 893bc45de6c1a33874ac3393caeb40bfbef4ca6d290075985867ea59c8937fb8
Instruction Fuzzy Hash: 40715A7290020AAFDF16DFA4DC45BAFBBBCBF05300F058616E915A6295D772EA05CB60

Function 0037EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0039CC08), ref: 0037EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0037EB37
GetClipboardData.USER32(0000000D), ref: 0037EB43
CloseClipboard.USER32 ref: 0037EB4F
GlobalLock.KERNEL32(00000000), ref: 0037EB87
CloseClipboard.USER32 ref: 0037EB91
GlobalUnlock.KERNEL32(00000000), ref: 0037EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0037EBC9
GetClipboardData.USER32(00000001), ref: 0037EBD1
GlobalLock.KERNEL32(00000000), ref: 0037EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0037EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0037EC38
GetClipboardData.USER32(0000000F), ref: 0037EC44
GlobalLock.KERNEL32(00000000), ref: 0037EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0037EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0037EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0037ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0037ECF3
CountClipboardFormats.USER32 ref: 0037ED14
CloseClipboard.USER32 ref: 0037ED59

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 466db91c12a13a8f35c1ee3fb045a0a668695d76019e213fa4cd53cff87dd66e
Instruction ID: cad70e72f3a88232263c59b1b28e602153883f9b1e638e1ba48785c7c76501b2
Opcode Fuzzy Hash: 466db91c12a13a8f35c1ee3fb045a0a668695d76019e213fa4cd53cff87dd66e
Instruction Fuzzy Hash: 4A61E6352043019FD322DF24D895F2A7BE8AF88704F05959EF45A9B2E2DB35DD05CB62

Function 0037698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003769BE
FindClose.KERNEL32(00000000), ref: 00376A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00376A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00376A75

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00376AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00376ADF

Strings

%02d, xrefs: 00376C00, 00376C0A, 00376C5A, 00376CAA, 00376CFA, 00376D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00376B32
%4d%02d%02d%02d%02d%02d, xrefs: 00376B6A
%03d, xrefs: 00376DA2
%4d, xrefs: 00376BB1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9f932106b35063b23e088946656b63660631700c2695acae18f5892c87db1620
Instruction ID: d4c813db81269adb5ebadc462deafdcf8ce7eb110eec2cbbf46a636d3dc95177
Opcode Fuzzy Hash: 9f932106b35063b23e088946656b63660631700c2695acae18f5892c87db1620
Instruction Fuzzy Hash: ABD185B1509340AFC715EB64C8A2EAFB7ECAF88704F44491EF589DB191EB34DA44C762

Function 00379642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00379663
GetFileAttributesW.KERNEL32(?), ref: 003796A1
SetFileAttributesW.KERNEL32(?,?), ref: 003796BB
FindNextFileW.KERNEL32(00000000,?), ref: 003796D3
FindClose.KERNEL32(00000000), ref: 003796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0037974A
SetCurrentDirectoryW.KERNEL32(003C6B7C), ref: 00379768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00379772
FindClose.KERNEL32(00000000), ref: 0037977F
FindClose.KERNEL32(00000000), ref: 0037978F

Strings

*.*, xrefs: 003796F5

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 837a362139f7eaade6228959cc4a588117573fe597404f5fcb47b22d6d3ddc06
Instruction ID: e32890ec7def991f0ef137f53d860630b19aff9d60cb85b7e6adbd6143f07948
Opcode Fuzzy Hash: 837a362139f7eaade6228959cc4a588117573fe597404f5fcb47b22d6d3ddc06
Instruction Fuzzy Hash: E231C3325412596BDF26EFB4EC49FDE77AC9F09320F118657F809E2190DB39DE408A20

Function 0037979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 003797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00379819
FindClose.KERNEL32(00000000), ref: 00379824
FindFirstFileW.KERNEL32(*.*,?), ref: 00379840
SetCurrentDirectoryW.KERNEL32(?), ref: 00379890
SetCurrentDirectoryW.KERNEL32(003C6B7C), ref: 003798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003798B8
FindClose.KERNEL32(00000000), ref: 003798C5
FindClose.KERNEL32(00000000), ref: 003798D5

Part of subcall function 0036DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0036DB00

Strings

*.*, xrefs: 0037983B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 6d1b1357091d2a62ba9e3a3433bb8d2cf29bfdc6779405badafe5b5d50b02a17
Instruction ID: 5a83f1e84e5a2ac3e7529bad14359e6ed08eb79fbcf22c12dfbb1ec702e2030a
Opcode Fuzzy Hash: 6d1b1357091d2a62ba9e3a3433bb8d2cf29bfdc6779405badafe5b5d50b02a17
Instruction Fuzzy Hash: 4131D0325002197ADF22EFB4EC49BDE77AC9F06320F158697E858E2190DB39DE448B21

Function 0038BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0038C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038B6AE,?,?), ref: 0038C9B5
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038C9F1
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA68
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0038BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0038BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0038C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0038C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0038C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0038C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0038C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0038C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0038C382
RegCloseKey.ADVAPI32(00000000), ref: 0038C38F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 69cf226e3bc93ba9ece0faab95fb6c7f2711d7cc896c9bb5fb225204b237e6e5
Instruction ID: d294d43555f73b439777f0729ca19412e1c5cf4941faf7072a9a6a5287b66074
Opcode Fuzzy Hash: 69cf226e3bc93ba9ece0faab95fb6c7f2711d7cc896c9bb5fb225204b237e6e5
Instruction Fuzzy Hash: C9025B706143009FD716DF28C895E2ABBE5AF89304F19849DF84ACF2A2D731EC46CB61

Function 00378195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00378257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00378267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00378273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00378310
SetCurrentDirectoryW.KERNEL32(?), ref: 00378324
SetCurrentDirectoryW.KERNEL32(?), ref: 00378356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0037838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00378395

Strings

*.*, xrefs: 0037839B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: df639c865c0a21bbfff5480bca1ede2d14fcb6fe07b85b7228cf49e2ffa20755
Instruction ID: 713b13fb873947bc6892f69f232d872eb8f6e9e36be984756c20d63c058b2e98
Opcode Fuzzy Hash: df639c865c0a21bbfff5480bca1ede2d14fcb6fe07b85b7228cf49e2ffa20755
Instruction Fuzzy Hash: B5618C765043059FDB21EF64C8449AEB3E8FF89314F04891EF989CB251DB35E945CB92

Function 0036D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00303AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00303A97,?,?,00302E7F,?,?,?,00000000), ref: 00303AC2

Part of subcall function 0036E199: GetFileAttributesW.KERNEL32(?,0036CF95), ref: 0036E19A

FindFirstFileW.KERNEL32(?,?), ref: 0036D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0036D1DD
MoveFileW.KERNEL32(?,?), ref: 0036D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0036D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0036D237

Part of subcall function 0036D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0036D21C,?,?), ref: 0036D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0036D253
FindClose.KERNEL32(00000000), ref: 0036D264

Strings

\*.*, xrefs: 0036D0CD, 0036D0D6, 0036D0EB

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a92197f19d985da20c3fa90a5adb2a97d71b408664a8a8c3294b10a9f2553bc3
Instruction ID: 4baa7c317985fb13d086d87437f7717325d04755a3ce2f7f5e7f4c6e484f4acb
Opcode Fuzzy Hash: a92197f19d985da20c3fa90a5adb2a97d71b408664a8a8c3294b10a9f2553bc3
Instruction Fuzzy Hash: 5C615F31D0214D9FCF06EBE0D9A29EEB779AF55300F208565E4027B196EB319F09CB60

Function 0037ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0037ED91
EmptyClipboard.USER32 ref: 0037ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0037EDAC
CloseClipboard.USER32 ref: 0037EEA3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fbc6e95fbdfba412596fc022c1824ac826a5f8a41e0c9321357f3f19912a2368
Instruction ID: eb4c461b5c35eb7e3572ce7cc61438c59ff34936b6eaa629ad313f94f3b9aa19
Opcode Fuzzy Hash: fbc6e95fbdfba412596fc022c1824ac826a5f8a41e0c9321357f3f19912a2368
Instruction Fuzzy Hash: 1341D435204611AFD722CF15E898F15BBE9FF48318F15C49AE4198FAA2C736EC41CB90

Function 0036E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0036170D
Part of subcall function 003616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0036173A
Part of subcall function 003616C3: GetLastError.KERNEL32 ref: 0036174A

ExitWindowsEx.USER32(?,00000000), ref: 0036E932

Strings

@, xrefs: 0036E925
, xrefs: 0036E95C
, xrefs: 0036E920
SeShutdownPrivilege, xrefs: 0036E902

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d4d498b77fedadc7867126b8aa5ea08d82aa0a05e24989d6c206ca4f8d0709e7
Instruction ID: e1839223c8f49501fe273d9c2ee67631529a67b9c015de996a5d487c7d3acf1b
Opcode Fuzzy Hash: d4d498b77fedadc7867126b8aa5ea08d82aa0a05e24989d6c206ca4f8d0709e7
Instruction Fuzzy Hash: BF014E36620210AFFB5622749C86FBF73EC9F04740F158422FC13E21D5D7655C5481A0

Function 00381204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00381276
WSAGetLastError.WSOCK32 ref: 00381283
bind.WSOCK32(00000000,?,00000010), ref: 003812BA
WSAGetLastError.WSOCK32 ref: 003812C5
closesocket.WSOCK32(00000000), ref: 003812F4
listen.WSOCK32(00000000,00000005), ref: 00381303
WSAGetLastError.WSOCK32 ref: 0038130D
closesocket.WSOCK32(00000000), ref: 0038133C

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: be237985e5b59a8989c4c502e6e7859281a8d5443a1989d937add56c7b1f70a8
Instruction ID: 86634bee954c9369a2407b7ec64706f1377ae420acfff4e9c30edd4a8ac38ccd
Opcode Fuzzy Hash: be237985e5b59a8989c4c502e6e7859281a8d5443a1989d937add56c7b1f70a8
Instruction Fuzzy Hash: B341A4356002009FD711EF64C494B6ABBE9BF46318F1985C9D8568F2D6C771ED82CBE1

Function 0036D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00303AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00303A97,?,?,00302E7F,?,?,?,00000000), ref: 00303AC2

Part of subcall function 0036E199: GetFileAttributesW.KERNEL32(?,0036CF95), ref: 0036E19A

FindFirstFileW.KERNEL32(?,?), ref: 0036D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0036D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0036D481
FindClose.KERNEL32(00000000), ref: 0036D498
FindClose.KERNEL32(00000000), ref: 0036D4A1

Strings

\*.*, xrefs: 0036D3F2

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8ff50d6a3670cf1563430cc9c9f8c9009fd21abdf81516bd2713ce4ef0b0bf06
Instruction ID: 82bd163fab2e3cf2c9a6fedd6d6ef0d39e4a7a743e016583e8cc59ee303f83af
Opcode Fuzzy Hash: 8ff50d6a3670cf1563430cc9c9f8c9009fd21abdf81516bd2713ce4ef0b0bf06
Instruction Fuzzy Hash: B1316B315193459BC207EF65D8A29AFB7ACAE91300F448E1EF4D197191EF31AE098B62

Function 0033E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0033E645

Strings

1#SNAN, xrefs: 0033F844
1#INF, xrefs: 0033F852
1#QNAN, xrefs: 0033F84B
1#IND, xrefs: 0033F83D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 69ab29ab3bd5f814578fad48cbb49b0827d9a995d6b2b526727eac8d47432d08
Instruction ID: 5f8f114a6077b0e3a734b17fb1e9a3d122a883b714c5b77af616dd0b074f92f3
Opcode Fuzzy Hash: 69ab29ab3bd5f814578fad48cbb49b0827d9a995d6b2b526727eac8d47432d08
Instruction Fuzzy Hash: 01C24D71E086288FDB26CF28DD807EAB7B9EB45305F5541EAD44DE7281E774AE818F40

Function 0037648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003764DC
CoInitialize.OLE32(00000000), ref: 00376639
CoCreateInstance.OLE32(0039FCF8,00000000,00000001,0039FB68,?), ref: 00376650
CoUninitialize.OLE32 ref: 003768D4

Strings

.lnk, xrefs: 003764BA, 00376524, 003765E0

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 5f90c069158600cb98f4053949ebb651f756eb491e2749788654a793a67206ce
Instruction ID: 645ae4f1b716b2363f1b0a1071e3e4bb1980f8baabf93a142f38706ff1a53ee0
Opcode Fuzzy Hash: 5f90c069158600cb98f4053949ebb651f756eb491e2749788654a793a67206ce
Instruction Fuzzy Hash: 3ED15A71509601AFC315EF24C8A2E6BB7E8FF95704F00896DF5998B292DB70ED05CB92

Function 003822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003822E8

Part of subcall function 0037E4EC: GetWindowRect.USER32(?,?), ref: 0037E504

GetDesktopWindow.USER32 ref: 00382312
GetWindowRect.USER32(00000000), ref: 00382319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00382355
GetCursorPos.USER32(?), ref: 00382381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003823DF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 0418e66483f94db0772556ca441f145fb554903c40d52df290a3b70a592bfc7d
Instruction ID: 69e6ad16596597a0675aa0407667a02ac1033397c6e3c50c1f7a54bb6927b0fd
Opcode Fuzzy Hash: 0418e66483f94db0772556ca441f145fb554903c40d52df290a3b70a592bfc7d
Instruction Fuzzy Hash: BB31E076504315AFDB22EF55C849B9BBBEDFF88310F00091AF98597181DB75EA08CB92

Function 00379B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00379B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00379C8B

Part of subcall function 00373874: GetInputState.USER32 ref: 003738CB
Part of subcall function 00373874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00373966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00379BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00379C75

Strings

*.*, xrefs: 00379B5D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 03fedb43b80b6bf1897bdecb71fe71d39285e7e8a0f7f935eb12ba46913ed0a2
Instruction ID: 341b222cf0db9bb4fcc42d9f652da02ed2d6d7ffebf4b8e8f23848aa06ad07b6
Opcode Fuzzy Hash: 03fedb43b80b6bf1897bdecb71fe71d39285e7e8a0f7f935eb12ba46913ed0a2
Instruction Fuzzy Hash: 0341847190120AAFCF27DF64C995BEE7BB8EF05310F148196E409A7291DB359E44CF60

Function 0031997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00319A4E
GetSysColor.USER32(0000000F), ref: 00319B23
SetBkColor.GDI32(?,00000000), ref: 00319B36

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 7689c712deba257140830563a4995b487f8058b16271f8e3b3d1b1d92486c568
Instruction ID: 8c915b06377aec254bad198b58d6b4c54200f65e77f298a2edf6d96bccc7e6e2
Opcode Fuzzy Hash: 7689c712deba257140830563a4995b487f8058b16271f8e3b3d1b1d92486c568
Instruction Fuzzy Hash: 66A11F70208444BFE72F9A2CAC78FFB269DDF4E341F16410BF802CA9A1C6259D89D271

Function 00381806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0038304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0038307A
Part of subcall function 0038304E: _wcslen.LIBCMT ref: 0038309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0038185D
WSAGetLastError.WSOCK32 ref: 00381884
bind.WSOCK32(00000000,?,00000010), ref: 003818DB
WSAGetLastError.WSOCK32 ref: 003818E6
closesocket.WSOCK32(00000000), ref: 00381915

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 8fe7b8e9a4ab8f9a8ca30a89da00a7d33bbf9cbf69661d5007b41c9debbdb10e
Instruction ID: e176a0e79bc3ce5eee54defc253dacfd12ad23d7bc2a27c78fb47a69295a0e6e
Opcode Fuzzy Hash: 8fe7b8e9a4ab8f9a8ca30a89da00a7d33bbf9cbf69661d5007b41c9debbdb10e
Instruction Fuzzy Hash: 3551C671A002009FD716AF24C896F6A77E9AB49718F14849CF9055F3D3CB71AD82CBE1

Function 00391C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00391CC0
IsWindowEnabled.USER32 ref: 00391CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00391CDB
IsIconic.USER32 ref: 00391CE9
IsZoomed.USER32 ref: 00391CF7

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 70b8f0a4550314e40b6c3cb5893e5ecdfb3bb4dd6611ba02a780fe057131c3e7
Instruction ID: 4dcb2ee70cd6cb8fafdfeb10971a2459a8a7471ec022463465bab1d301bfa276
Opcode Fuzzy Hash: 70b8f0a4550314e40b6c3cb5893e5ecdfb3bb4dd6611ba02a780fe057131c3e7
Instruction Fuzzy Hash: 7F21F7317402025FDB228F1AC844F6A7BE9EF85314F1A9069E846DB351CB72DC42CF90

Function 00308060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 003083E8
VUUU, xrefs: 0030843C
VUUU, xrefs: 00345DF0
VUUU, xrefs: 003083FA
ERCP, xrefs: 0030813C

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8539cfbc38b59d3e539d13efd7d98d0dd3da443495d1c501afce494a81b94fec
Instruction ID: f0c09ad4b708375f49cf1fa10df1824bcb48058dcfe26f17ceb0676e829bbc48
Opcode Fuzzy Hash: 8539cfbc38b59d3e539d13efd7d98d0dd3da443495d1c501afce494a81b94fec
Instruction Fuzzy Hash: 33A2D070E0161ACBDF26CF58C8517AEB7B1FF45310F2581AAE855AB285DB30AD81CF91

Function 00368298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003682AA

Strings

tb<, xrefs: 003684F4
|, xrefs: 003682DA
(, xrefs: 003682F0

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb<$|
API String ID: 1659193697-3847509607
Opcode ID: 7761c243e6e22c7be5fe65d3f052c0507714be4e725f6b8947aeb4cfd4615d6a
Instruction ID: 3a40e8156e127f9c210eea814866d340e174a0112a6b379ab183899615a7495b
Opcode Fuzzy Hash: 7761c243e6e22c7be5fe65d3f052c0507714be4e725f6b8947aeb4cfd4615d6a
Instruction Fuzzy Hash: 39324778A007059FCB29CF19C081A6AB7F0FF48710B15C56EE59ADB7A1EB70E941CB44

Function 0036AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0036AAAC
SetKeyboardState.USER32(00000080), ref: 0036AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0036AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0036AB88

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 19a4ceac489976da88e6c3ddb42bec5bf8f73cbffc100f4c23f1cb8a236fd6cf
Instruction ID: 3a254d4dd0b90ec2db2822ffb7c10c144a936fb898a15e75a2e2bd0aea953e68
Opcode Fuzzy Hash: 19a4ceac489976da88e6c3ddb42bec5bf8f73cbffc100f4c23f1cb8a236fd6cf
Instruction Fuzzy Hash: 9531E930A40A48AEEB37CA65CC05BFE7BAAAB45310F04C21BE581671D9D3758D81DB66

Function 0033BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0033BB7F

Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0

GetTimeZoneInformation.KERNEL32 ref: 0033BB91
WideCharToMultiByte.KERNEL32(00000000,?,003D121C,000000FF,?,0000003F,?,?), ref: 0033BC09
WideCharToMultiByte.KERNEL32(00000000,?,003D1270,000000FF,?,0000003F,?,?,?,003D121C,000000FF,?,0000003F,?,?), ref: 0033BC36

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: ce7d4b927dcc8726ac24ad47c678162d6487ff44bb296d9672dce4e3778ebcb6
Instruction ID: 6e27613d7de45369c83bd87dec3c3387c86101ad6b52b33372286579a0fa11bb
Opcode Fuzzy Hash: ce7d4b927dcc8726ac24ad47c678162d6487ff44bb296d9672dce4e3778ebcb6
Instruction Fuzzy Hash: DB319C71904205EFCB13DF69EC80969FBBCBF45320F1546AAE161DB2A1DB319A40CB50

Function 0037CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0037CE89
GetLastError.KERNEL32(?,00000000), ref: 0037CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0037CEFE

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 0e99342de4d5b86654c7b01fe63f90223cc297c82cefff7973b501531b165272
Instruction ID: fcc0ef994befab0a0656a3bd9744b8f53777d45af3cadfa821051cf8075a69a0
Opcode Fuzzy Hash: 0e99342de4d5b86654c7b01fe63f90223cc297c82cefff7973b501531b165272
Instruction Fuzzy Hash: 0921EAB1510305AFEB32CFA5C988BA6B7FCEB00305F10981EE54AD2551E738EE448BA0

Function 00375C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00375CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00375D17
FindClose.KERNEL32(?), ref: 00375D5F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b15308217416c588e0567dcf972d90cd81ba3267323e0114bbd6e2b69741cb34
Instruction ID: e3745e2ee5afe3dbbaf7feb1a339e3513344426217e2760b6edc2487e4c6ef36
Opcode Fuzzy Hash: b15308217416c588e0567dcf972d90cd81ba3267323e0114bbd6e2b69741cb34
Instruction Fuzzy Hash: 1C51AA74604A019FC72ACF28C494E96B7E4FF09314F15855EE99A8B3A1CB74FD04CB91

Function 00332622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0033271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00332724
UnhandledExceptionFilter.KERNEL32(?), ref: 00332731

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5393aa0f1a977849555c0e7afd997abce35f4711288db407b8ff237805af0b55
Instruction ID: 3876d0ebba750a79a824b2cef77946f307fefabeeb6bd1f5a69ff1082e45145d
Opcode Fuzzy Hash: 5393aa0f1a977849555c0e7afd997abce35f4711288db407b8ff237805af0b55
Instruction Fuzzy Hash: C531B574911228ABCB22DF64DC8979DB7B8BF08310F5041EAE41CA7261E7749F858F45

Function 003751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00375238
SetErrorMode.KERNEL32(00000000), ref: 003752A1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8184611b4984349db1a63b55efbeee3c8a86cd7ff21d22251c44a77f6b4bbec7
Instruction ID: 4a5c10eed4fdc2287e6601e737e474dc9f3c53f41700767756f4064d136b74b3
Opcode Fuzzy Hash: 8184611b4984349db1a63b55efbeee3c8a86cd7ff21d22251c44a77f6b4bbec7
Instruction Fuzzy Hash: 7E318075A10518DFDB01DF54D884EADBBB4FF09314F048499E809AF3A2CB35E846CB51

Function 003616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0031FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00320668
Part of subcall function 0031FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00320685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0036170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0036173A
GetLastError.KERNEL32 ref: 0036174A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b532b0b09610d43f002638e23b07246d8202c572ca97fbc79775454816abf328
Instruction ID: 4b1be824d3a6bc03ed886f94e54e07d00552adc31dc86106d0220117823bbc41
Opcode Fuzzy Hash: b532b0b09610d43f002638e23b07246d8202c572ca97fbc79775454816abf328
Instruction Fuzzy Hash: 7D11BCB2410204AFD719AF54EC86DAAB7BDEB08714B24852EE05656285EB70FC81CB20

Function 0036D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0036D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0036D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0036D650

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0e6411dd87a00eac1263d4f4a5efe20fd9c878b6a6945016b8c0bd5c3d5dd692
Instruction ID: 62bfb9b1ee3e2b68315ad92d2aea69bf1337d9695d71b6e17177c173b9d91e9b
Opcode Fuzzy Hash: 0e6411dd87a00eac1263d4f4a5efe20fd9c878b6a6945016b8c0bd5c3d5dd692
Instruction Fuzzy Hash: E5116175E05228BFDB118F95DC45FAFBFBCEB45B50F108116F904E7294D6704A058BA1

Function 00361663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0036168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003616A1
FreeSid.ADVAPI32(?), ref: 003616B1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a98a995f7a766c9b62a7a6383ac5709eb41557dbd3ef302410432c55cdbe3b83
Instruction ID: d0329955a1ca397dcd28b8cf632e80fbffaf3ea9c567e2ace7e57222941eaf72
Opcode Fuzzy Hash: a98a995f7a766c9b62a7a6383ac5709eb41557dbd3ef302410432c55cdbe3b83
Instruction Fuzzy Hash: 3EF04471950308FBDB00DFE0CC89AAEBBBCEB08300F404561E900E2281E331EA048A50

Function 0035D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0035D28C

Strings

X64, xrefs: 0035D2A8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d9ff61f19b5a74a727c40c7afe6c7cec6274dc0b7ff0860f0a518cfd9339c172
Instruction ID: 34046a9705f2fe7bbd820bf5990f040ed018488947b7f6d16990e8ee82679b0c
Opcode Fuzzy Hash: d9ff61f19b5a74a727c40c7afe6c7cec6274dc0b7ff0860f0a518cfd9339c172
Instruction Fuzzy Hash: 61D0C9B481111DEECB95CB90DC88DDDB37CBB08305F100552F506A2500D77095488F20

Function 0032CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 8ca1f75bd878d8576c2686ed8afefb26ece3e7caee616cc2d9722e8ebb81a7b4
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: BD022C71E102299BDF15CFA9D9806ADFBF1EF48314F25816AD819EB384D731AE41CB80

Function 0030CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00350C40
p#=, xrefs: 0030CF7F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#=
API String ID: 0-163314492
Opcode ID: d547c14d416602172412196fa44e95d25469872e39460cb174d6e1225197b0d0
Instruction ID: f6ba926b3efcae9774691029002cfa467463ab19533b121b8a7b4bf4407e513e
Opcode Fuzzy Hash: d547c14d416602172412196fa44e95d25469872e39460cb174d6e1225197b0d0
Instruction Fuzzy Hash: F932AD70911208DBDF1ADF94C8A1BEDB7B9BF05304F214159E806AF2D2DB32AD4ACB51

Function 003768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00376918
FindClose.KERNEL32(00000000), ref: 00376961

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4b18e8bd42a6d17a22454e5e4bbd8244c378a5b56bcbbab589db0ed7baaf8d41
Instruction ID: 2d0380af36cc88eb3b2e63024fa1e5a28c86d1a9338a5ca4d6217131a56072cd
Opcode Fuzzy Hash: 4b18e8bd42a6d17a22454e5e4bbd8244c378a5b56bcbbab589db0ed7baaf8d41
Instruction Fuzzy Hash: EC11E2716146019FC711CF29C895A16BBE4FF85328F05C699F5698F7A2CB34EC05CB91

Function 003737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00384891,?,?,00000035,?), ref: 003737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00384891,?,?,00000035,?), ref: 003737F4

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b63c7616278c5130c160134e3f6fabf8c8e176d85aacb3ddc50c02c929cb7ae7
Instruction ID: d6012b5803a6b041b99cdf8b59d7bc6f04b3701c2fe4ca8aa511f999d77f7068
Opcode Fuzzy Hash: b63c7616278c5130c160134e3f6fabf8c8e176d85aacb3ddc50c02c929cb7ae7
Instruction Fuzzy Hash: FAF0E5B16052282AEB2257668C8DFEB3BAEEFC4761F000266F509D2281D9609944C6B0

Function 0036B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0036B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0036B270

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: ef9afdd74bd43ac77d134c31085389da5d4305bbd7db988e47b8ce2b51730a84
Instruction ID: 98dc0ca999d19090fd413a20dd75d9cc7d6db66a9234ab8f0b7ae00714f51903
Opcode Fuzzy Hash: ef9afdd74bd43ac77d134c31085389da5d4305bbd7db988e47b8ce2b51730a84
Instruction Fuzzy Hash: 06F06D7080428DABDB068FA0C805BAEBBB4FF04305F00840AF951A5192C37982119F94

Function 003610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003611FC), ref: 003610D4
CloseHandle.KERNEL32(?,?,003611FC), ref: 003610E9

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dbb8fd16afccb7a152ef47452d0bc7ed785c1854bf2850b3085e2ad29c0fc405
Instruction ID: 4f1a819c83be2de65097d60a5096046678b8122b1538618f90d4ef186b11849c
Opcode Fuzzy Hash: dbb8fd16afccb7a152ef47452d0bc7ed785c1854bf2850b3085e2ad29c0fc405
Instruction Fuzzy Hash: 2DE0BF72018650AEE7262B51FC05EB777ADEB04310F14882EF5A5844B5DB62ACE0DB60

Function 0033676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00336766,?,?,00000008,?,?,0033FEFE,00000000), ref: 00336998

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2be409ba35c989abcfe51de8c37470fe6e4a8b2419a375ac771b7e249a21aef6
Instruction ID: 7901a53f09a4e26adaec799a9d75cc1c252b76739f4ce86e2bc41c17c99f77b0
Opcode Fuzzy Hash: 2be409ba35c989abcfe51de8c37470fe6e4a8b2419a375ac771b7e249a21aef6
Instruction Fuzzy Hash: 8FB11A71610609AFD716CF28C4CAB657BE0FF49364F26C658E899CF2A2C735E991CB40

Function 0031B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0035851F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b02b37dc13245ba3fdc1f0f6e547ef6ed1e523568e9d4e7cea91e4539f72e52c
Instruction ID: 5c651944311107612890420fa209f767f1d3418fa88ceb6be8bb608bed7f314d
Opcode Fuzzy Hash: b02b37dc13245ba3fdc1f0f6e547ef6ed1e523568e9d4e7cea91e4539f72e52c
Instruction Fuzzy Hash: 851260759002299FDB16CF59C880AEEB7F5FF48710F15819AE849EB251EB309E85CF90

Function 0037EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0037EABD

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 27c6d600d32f6c657d7a9e6813dbb36a95bd73e6ffa2a304b578ef1e9a127ae8
Instruction ID: 1e2fb596d04460624608a0d69c5ba13b3a4de9cac73a7ffa2d21e8e4261fb874
Opcode Fuzzy Hash: 27c6d600d32f6c657d7a9e6813dbb36a95bd73e6ffa2a304b578ef1e9a127ae8
Instruction Fuzzy Hash: CBE01A312202049FC711EF59D814E9AF7EDAF98760F008456FC49CB291DA74A8408B91

Function 003209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003203EE), ref: 003209DA

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 86f64141ac0f2b66d83816b6a2f952a9e95e2716ccaffaac4b80b1a617f096b2
Instruction ID: 311a25640c4a1b376b040390d529fffe228ccaef2538fce0631827240be48182
Opcode Fuzzy Hash: 86f64141ac0f2b66d83816b6a2f952a9e95e2716ccaffaac4b80b1a617f096b2
Instruction Fuzzy Hash:

Function 0032781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0032798B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: b4374c22cb32b19c6bf8b162b8b18559e7cdcf86c5110e074fe264bb7176ce1a
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2A51557160C7795BDB3B8678B85F7FE2389BB02340F190509E982DB682CB25DE81D356

Function 00372046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&=, xrefs: 00372053

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID: 0&=
API String ID: 0-1084027831
Opcode ID: 281c521f86069f9e0b838fd26535bba73419b264b673acfa666183de28156e37
Instruction ID: b349e7c7eee93808b61cdb238264b4798fe5b9abd916e974ffc502e6c7a0e107
Opcode Fuzzy Hash: 281c521f86069f9e0b838fd26535bba73419b264b673acfa666183de28156e37
Instruction Fuzzy Hash: 1421D8326216118BD728CF79D81367F73E9A764310F198A2EE4A7C73D0DE39A904CB90

Function 00336DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01db3655a91c7217887256aa444c3d0d08939edcb75296a260002984f025049a
Instruction ID: 37ea87f34e2ded5eac539506ef73e991fe197e3764f928e790658fb68f3b79e0
Opcode Fuzzy Hash: 01db3655a91c7217887256aa444c3d0d08939edcb75296a260002984f025049a
Instruction Fuzzy Hash: 05322162D29F014DD7279638C862336A64DAFB73C5F15D727E82AB5DAAEB29C4C34100

Function 0031CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8dca4889f748937262fbbcc511050cb9d6726c4427e5f9eab523d72d34b4ada
Instruction ID: a2c7061f74ca90d0e2711d9ef97c16bdee04cf062ae69de061327cf77ea2d976
Opcode Fuzzy Hash: e8dca4889f748937262fbbcc511050cb9d6726c4427e5f9eab523d72d34b4ada
Instruction Fuzzy Hash: C5322D31A203058FCF2BCA68C490DBD7BA5EB49709F2AA566DC45D76A1D330DD8ADB40

Function 00307920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49abb7ceb22a3d94a9c5254c5c991ba9b6165044671fc14557cc815a39f43a6c
Instruction ID: 6adf42c708d51690759eead65aa58cdc3541c34ab757ff54153362085584c816
Opcode Fuzzy Hash: 49abb7ceb22a3d94a9c5254c5c991ba9b6165044671fc14557cc815a39f43a6c
Instruction Fuzzy Hash: 1D22C070E04609DFDF16CFA4D891AAEB7F5FF48300F144629E812AB292EB35AD55CB50

Function 003091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8988dcc0c0a4593a46869bec1c69dab719d4a75c77acd92d60861676db4b3750
Instruction ID: 41566a60ea4c59a57e518e05e928cb28025be163aa1ae3b68bafd62c2e2bafe4
Opcode Fuzzy Hash: 8988dcc0c0a4593a46869bec1c69dab719d4a75c77acd92d60861676db4b3750
Instruction Fuzzy Hash: 300293B1E00209EFDB06DF54D891AAEB7F5FF44300F118569E8169F291EB31AE64CB91

Function 00339EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0d115d946141cc03ffa76fba6914d299abf04f4a1bf1ceb3a2388aad4210f5
Instruction ID: b22cb5c534f0ebefcfab3d6e7a29f166fcad72fa8cc70fb6b7e0f0cbab2b12e3
Opcode Fuzzy Hash: 6c0d115d946141cc03ffa76fba6914d299abf04f4a1bf1ceb3a2388aad4210f5
Instruction Fuzzy Hash: C7B1F024E2AF404DC62396398871336F65CAFBB7D5F91D71BFC6674D62EB2286834140

Function 00321C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: d2d895a4fb6b4dc88b63e5c1d7e9173a9354e397f34598df62b1fde0f7d04f5b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 7C9197726080B34ADB2B463EA63403EFFE15AA23A131B079DD4F2CB1C5FE24D954D660

Function 00321F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 8ec98511eaa8ab3ddd8ea1b1aa7cb81012a3209d48580ee6d7ab8c6ccf4da2b4
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 289185722090B319DB2F4239997443FFFE15A923A131B079DE4F2CB1C5EE24D968E620

Function 003219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: cdfffd0d16e4104e92ad83c26e6ed58af375ca6bb8e94ff2e9b1150423d81676
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B59152722090F34ADB2F467AA67403EFFF55AA23A131B07AED4F2CA5C1FE14C5549660

Function 00327A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1101109a7aca6c9240b86a5b81b5346692892cd0f00aa9bf77a7222c6507b4f3
Instruction ID: 683b7e5de93f255f7601935125c21fb50d8e2f32e7e969293fcbb933843222c4
Opcode Fuzzy Hash: 1101109a7aca6c9240b86a5b81b5346692892cd0f00aa9bf77a7222c6507b4f3
Instruction Fuzzy Hash: 6F61687120C77996DF3B9A28BC96BBE2398FF41710F11091AE843DF781DA119E42C355

Function 00327CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae775686523cefaf716bc709e2bb84fe581747dc68f5c49cb4b06459e5ea2702
Instruction ID: d9661aac4ecbb6ee0410f47976dc7c6aa92af88d001bdb6b3853dce5ca5d80a6
Opcode Fuzzy Hash: ae775686523cefaf716bc709e2bb84fe581747dc68f5c49cb4b06459e5ea2702
Instruction Fuzzy Hash: 6C61AD3520873957DF3B5A287852BBF2388FF42740F120959E943DF681DA12ED428365

Function 00321706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 6d0693dcb4783f3cd85170f81342071bac836eb06b52e045c50b9b4fa5a7a3e2
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 938185726080B309DB6F423EA67403EFFE15AA23A131B079DD4F2CB5C5EE24C554E660

Function 00353CD2 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac872c073fd55e1e3cf861d19a2a3eee52f5e2bf874a126f76b425ae706bd73
Instruction ID: 0ac7302879e4afacf8134b458c833bc9db2ba702d8ffc65adcc78167a7564daf
Opcode Fuzzy Hash: 6ac872c073fd55e1e3cf861d19a2a3eee52f5e2bf874a126f76b425ae706bd73
Instruction Fuzzy Hash: 266134B69193C09FC727CF2494A4512BFF1EF12355B1A48EFC8869B992D330E94ACB01

Function 0031D064 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59492df380751fcafe66e9e0c9a61adc284eebf655c41be1d35af1f92ce7e773
Instruction ID: 53741db1206e38c65ea082beb1c2ba17cc6884064e02db2bf03592865480a10b
Opcode Fuzzy Hash: 59492df380751fcafe66e9e0c9a61adc284eebf655c41be1d35af1f92ce7e773
Instruction Fuzzy Hash: 1B41B6E29AEBD24FC31397786C791417F70AE2714934E4AEFC081A74D7E694410ACB8B

Function 00382ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00382B30
DeleteObject.GDI32(00000000), ref: 00382B43
DestroyWindow.USER32 ref: 00382B52
GetDesktopWindow.USER32 ref: 00382B6D
GetWindowRect.USER32(00000000), ref: 00382B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00382CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00382CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382CF8
GetClientRect.USER32(00000000,?), ref: 00382D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00382D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382D80
GlobalLock.KERNEL32(00000000), ref: 00382D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382D98
GlobalUnlock.KERNEL32(00000000), ref: 00382DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382DA8
GlobalFree.KERNEL32(00000000), ref: 00382DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0039FC38,00000000), ref: 00382DDB
GlobalFree.KERNEL32(00000000), ref: 00382DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00382E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00382E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00382E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0038303F

Strings

, xrefs: 00382FC5
static, xrefs: 00382D3A, 00382E91
AutoIt v3, xrefs: 00382CF2
DISPLAY, xrefs: 00382EA2

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 3c16c57cea9fcc2a3d9aeb2f9d981a021ca6733894dcbd023b7a140ae52f073b
Instruction ID: 1317ba23ecc63c8eaf068c5d1384e418954e36dfbe63b820c1ea9d3d621f405f
Opcode Fuzzy Hash: 3c16c57cea9fcc2a3d9aeb2f9d981a021ca6733894dcbd023b7a140ae52f073b
Instruction Fuzzy Hash: E1028B75A10204AFDB16DFA4CC89EAE7BB9FF49710F048159F915AB2A1CB71ED01CB60

Function 003970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0039712F
GetSysColorBrush.USER32(0000000F), ref: 00397160
GetSysColor.USER32(0000000F), ref: 0039716C
SetBkColor.GDI32(?,000000FF), ref: 00397186
SelectObject.GDI32(?,?), ref: 00397195
InflateRect.USER32(?,000000FF,000000FF), ref: 003971C0
GetSysColor.USER32(00000010), ref: 003971C8
CreateSolidBrush.GDI32(00000000), ref: 003971CF
FrameRect.USER32(?,?,00000000), ref: 003971DE
DeleteObject.GDI32(00000000), ref: 003971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00397230
FillRect.USER32(?,?,?), ref: 00397262
GetWindowLongW.USER32(?,000000F0), ref: 00397284

Part of subcall function 003973E8: GetSysColor.USER32(00000012), ref: 00397421
Part of subcall function 003973E8: SetTextColor.GDI32(?,?), ref: 00397425
Part of subcall function 003973E8: GetSysColorBrush.USER32(0000000F), ref: 0039743B
Part of subcall function 003973E8: GetSysColor.USER32(0000000F), ref: 00397446
Part of subcall function 003973E8: GetSysColor.USER32(00000011), ref: 00397463
Part of subcall function 003973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00397471
Part of subcall function 003973E8: SelectObject.GDI32(?,00000000), ref: 00397482
Part of subcall function 003973E8: SetBkColor.GDI32(?,00000000), ref: 0039748B
Part of subcall function 003973E8: SelectObject.GDI32(?,?), ref: 00397498
Part of subcall function 003973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003974B7
Part of subcall function 003973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003974CE
Part of subcall function 003973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003974DB

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6d3e2c44fe1a2bdeb1b853dec70d9cbcffced44038d11094f49ee94a5e07a837
Instruction ID: 1c62082b13ddf26852c8a43cb601d8538634ee0f5071222c5c5a2ddbe494e299
Opcode Fuzzy Hash: 6d3e2c44fe1a2bdeb1b853dec70d9cbcffced44038d11094f49ee94a5e07a837
Instruction Fuzzy Hash: E5A19372028301BFDB129F64DC48E5B7BADFF49320F101A1AF9A2961E1D772E944CB51

Function 00318D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00318E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00356AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00356AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00356F43

Part of subcall function 00318F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00318BE8,?,00000000,?,?,?,?,00318BBA,00000000,?), ref: 00318FC5

SendMessageW.USER32(?,00001053), ref: 00356F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00356F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00356FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00356FB7

Strings

0, xrefs: 00356DCF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: cb1cf62e9118162c32d58f5386677b9213a77ba2abd09a73eb09d7c782df3ef9
Instruction ID: 4b3fd9c7d949dae6cd7a61b23a062b06553c6d8f720bde7fc963ce9472f04dd4
Opcode Fuzzy Hash: cb1cf62e9118162c32d58f5386677b9213a77ba2abd09a73eb09d7c782df3ef9
Instruction Fuzzy Hash: 0412CE30601201EFCB27CF14D956FA5B7F9FB49302F95446AE8858B662CB32EC95CB91

Function 00382711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0038273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0038286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00382900
GetClientRect.USER32(00000000,?), ref: 0038290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00382955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00382964
GetStockObject.GDI32(00000011), ref: 00382974
SelectObject.GDI32(00000000,00000000), ref: 00382978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00382988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00382991
DeleteDC.GDI32(00000000), ref: 0038299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00382A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00382A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00382A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00382A77
GetStockObject.GDI32(00000011), ref: 00382A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00382A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00382A97

Strings

static, xrefs: 0038294F, 00382A71
msctls_progress32, xrefs: 00382A13
AutoIt v3, xrefs: 003828F8
DISPLAY, xrefs: 0038295A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: acd4ccc1842a2d9105120b2b728c3fd8a5adc55cfcfa3a0f7d8cdb42e59f9564
Instruction ID: c24537cb1ee7f16c2bf02b98bd74897833e2201c3bbd16e48c67198fcafd9860
Opcode Fuzzy Hash: acd4ccc1842a2d9105120b2b728c3fd8a5adc55cfcfa3a0f7d8cdb42e59f9564
Instruction Fuzzy Hash: 45B16A75A10205AFEB15DFA8DC4AFAFBBA9EB08710F008155F914EB2D0D770AD40CBA0

Function 00374ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00374AED
GetDriveTypeW.KERNEL32(?,0039CB68,?,\\.\,0039CC08), ref: 00374BCA
SetErrorMode.KERNEL32(00000000,0039CB68,?,\\.\,0039CC08), ref: 00374D36

Strings

ATA, xrefs: 00374C98
\\.\, xrefs: 00374B3F
CDROM, xrefs: 00374BFB
RAID, xrefs: 00374CBB
SSD, xrefs: 00374C4A
FileBackedVirtual, xrefs: 00374CEC
Removable, xrefs: 00374C10, 00374C15
RAMDisk, xrefs: 00374BF4
PhysicalDrive, xrefs: 00374B76
Virtual, xrefs: 00374CE5
SATA, xrefs: 00374CD0
SCSI, xrefs: 00374C8A
SAS, xrefs: 00374CC9
Network, xrefs: 00374C02
iSCSI, xrefs: 00374CC2
MMC, xrefs: 00374CDE
Fixed, xrefs: 00374C09
ATAPI, xrefs: 00374C91
Unknown, xrefs: 00374BED, 00374C83
SSA, xrefs: 00374CA6
1394, xrefs: 00374C9F
USB, xrefs: 00374CB4
Fibre, xrefs: 00374CAD

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 314825090fcb129e6b81654dc1a158972159135c3a7bde4b32d626b1700f9c7e
Instruction ID: 9203acbb8367966be748e4288a09e1c515648a188b12cc2660a5c92d8a86a153
Opcode Fuzzy Hash: 314825090fcb129e6b81654dc1a158972159135c3a7bde4b32d626b1700f9c7e
Instruction Fuzzy Hash: 6961C431705206EBCB27DF18C996EA977A4AF44300B25C419F80BEB696DB39FD41DB41

Function 003973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00397421
SetTextColor.GDI32(?,?), ref: 00397425
GetSysColorBrush.USER32(0000000F), ref: 0039743B
GetSysColor.USER32(0000000F), ref: 00397446
CreateSolidBrush.GDI32(?), ref: 0039744B
GetSysColor.USER32(00000011), ref: 00397463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00397471
SelectObject.GDI32(?,00000000), ref: 00397482
SetBkColor.GDI32(?,00000000), ref: 0039748B
SelectObject.GDI32(?,?), ref: 00397498
InflateRect.USER32(?,000000FF,000000FF), ref: 003974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0039752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00397554
InflateRect.USER32(?,000000FD,000000FD), ref: 00397572
DrawFocusRect.USER32(?,?), ref: 0039757D
GetSysColor.USER32(00000011), ref: 0039758E
SetTextColor.GDI32(?,00000000), ref: 00397596
DrawTextW.USER32(?,003970F5,000000FF,?,00000000), ref: 003975A8
SelectObject.GDI32(?,?), ref: 003975BF
DeleteObject.GDI32(?), ref: 003975CA
SelectObject.GDI32(?,?), ref: 003975D0
DeleteObject.GDI32(?), ref: 003975D5
SetTextColor.GDI32(?,?), ref: 003975DB
SetBkColor.GDI32(?,?), ref: 003975E5

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0584e9a8b100598c96c4fd612256c6da8f14c13444126a689c8f75a432fe04cb
Instruction ID: 1c470c1f6956862cdc7300d6ca06c7cbd7226dee134a6007022a57f9ef20db4f
Opcode Fuzzy Hash: 0584e9a8b100598c96c4fd612256c6da8f14c13444126a689c8f75a432fe04cb
Instruction Fuzzy Hash: 72616C72910218AFDF029FA4DC49EEEBFB9EB09320F115116F915AB2E1D7719940CFA0

Function 00390FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00391128
GetDesktopWindow.USER32 ref: 0039113D
GetWindowRect.USER32(00000000), ref: 00391144
GetWindowLongW.USER32(?,000000F0), ref: 00391199
DestroyWindow.USER32(?), ref: 003911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0039120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0039121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00391232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00391245
IsWindowVisible.USER32(00000000), ref: 003912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003912D0
GetWindowRect.USER32(00000000,?), ref: 003912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0039130E
GetMonitorInfoW.USER32(00000000,?), ref: 00391328
CopyRect.USER32(?,?), ref: 0039133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003913AA

Strings

tooltips_class32, xrefs: 003911E6
(, xrefs: 0039131B
0, xrefs: 003910D3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f6287c2272f75661738c20343c68ef0a3de630e506beaeda8eca43feb332ea31
Instruction ID: 77378565e1f9b4088d4cbf6cab0ac1159feda0fcba46904cd911d2d274687781
Opcode Fuzzy Hash: f6287c2272f75661738c20343c68ef0a3de630e506beaeda8eca43feb332ea31
Instruction Fuzzy Hash: FAB18C71608341AFDB11DF64C884B6AFBE4FF88354F008919F999AB2A1CB71EC44CB91

Function 00318891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00318968
GetSystemMetrics.USER32(00000007), ref: 00318970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0031899B
GetSystemMetrics.USER32(00000008), ref: 003189A3
GetSystemMetrics.USER32(00000004), ref: 003189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00318A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00318A3C
GetClientRect.USER32(00000000,000000FF), ref: 00318A5A
GetStockObject.GDI32(00000011), ref: 00318A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00318A81

Part of subcall function 0031912D: GetCursorPos.USER32(?), ref: 00319141
Part of subcall function 0031912D: ScreenToClient.USER32(00000000,?), ref: 0031915E
Part of subcall function 0031912D: GetAsyncKeyState.USER32(00000001), ref: 00319183
Part of subcall function 0031912D: GetAsyncKeyState.USER32(00000002), ref: 0031919D

SetTimer.USER32(00000000,00000000,00000028,003190FC), ref: 00318AA8

Strings

AutoIt v3 GUI, xrefs: 00318A20

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b8d4bded671bb43a3ada6c72e04816a75f043faaab126308e3c56b17999f0396
Instruction ID: c0829a0bace7fdd2a684fe16696bbf02462ac18214f755ccd2c288704be61753
Opcode Fuzzy Hash: b8d4bded671bb43a3ada6c72e04816a75f043faaab126308e3c56b17999f0396
Instruction Fuzzy Hash: EBB16075A00209AFDB16DFA8DC55BEE7BB9FB48315F11421AFA1597290DB30D840CB54

Function 00360D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00361114
Part of subcall function 003610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361120
Part of subcall function 003610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 0036112F
Part of subcall function 003610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361136
Part of subcall function 003610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0036114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00360DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00360E29
GetLengthSid.ADVAPI32(?), ref: 00360E40
GetAce.ADVAPI32(?,00000000,?), ref: 00360E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00360E96
GetLengthSid.ADVAPI32(?), ref: 00360EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00360EB5
HeapAlloc.KERNEL32(00000000), ref: 00360EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00360EDD
CopySid.ADVAPI32(00000000), ref: 00360EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00360F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00360F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00360F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360F6E
HeapFree.KERNEL32(00000000), ref: 00360F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360F7E
HeapFree.KERNEL32(00000000), ref: 00360F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00360F8E
HeapFree.KERNEL32(00000000), ref: 00360F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00360FA1
HeapFree.KERNEL32(00000000), ref: 00360FA8

Part of subcall function 00361193: GetProcessHeap.KERNEL32(00000008,00360BB1,?,00000000,?,00360BB1,?), ref: 003611A1
Part of subcall function 00361193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00360BB1,?), ref: 003611A8
Part of subcall function 00361193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00360BB1,?), ref: 003611B7

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f513dd4abb4a021583b6240d5a8207ac6f51b34e9b5a1ff3bfacac2344f96ac4
Instruction ID: 48f5c301536ba15b6827a2c666edd36e1cb53277bbc53b19544ec0275afa5cbc
Opcode Fuzzy Hash: f513dd4abb4a021583b6240d5a8207ac6f51b34e9b5a1ff3bfacac2344f96ac4
Instruction Fuzzy Hash: D4715B7290021AEBDF26DFA4DC49FAFBBBCBF05300F058115F919AA295D7729905CB60

Function 0038C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0039CC08,00000000,?,00000000,?,?), ref: 0038C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0038C5A4
_wcslen.LIBCMT ref: 0038C5F4
_wcslen.LIBCMT ref: 0038C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0038C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0038C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0038C84D
RegCloseKey.ADVAPI32(?), ref: 0038C881
RegCloseKey.ADVAPI32(00000000), ref: 0038C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0038C960

Strings

REG_EXPAND_SZ, xrefs: 0038C5CD
REG_SZ, xrefs: 0038C644
REG_BINARY, xrefs: 0038C913
REG_DWORD, xrefs: 0038C804
REG_MULTI_SZ, xrefs: 0038C6F5
REG_QWORD, xrefs: 0038C8C3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 4de3492e89cca669b5f6b86d5bf0499466720685a3c579936b4219256521570b
Instruction ID: bbf154ea776239f5da296eb3553acde7af0ec9da74f8c67b896494ab280940b4
Opcode Fuzzy Hash: 4de3492e89cca669b5f6b86d5bf0499466720685a3c579936b4219256521570b
Instruction Fuzzy Hash: 26127A356143019FDB16EF14C891A2AB7E5EF89714F05889DF88A9B3A2DB31FC41CB91

Function 0039091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003909C6
_wcslen.LIBCMT ref: 00390A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00390A54
_wcslen.LIBCMT ref: 00390A8A
_wcslen.LIBCMT ref: 00390B06
_wcslen.LIBCMT ref: 00390B81

Part of subcall function 0031F9F2: _wcslen.LIBCMT ref: 0031F9FD

Part of subcall function 00362BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00362BFA

Strings

UNCHECK, xrefs: 00390D3E
CHECK, xrefs: 00390A85, 00390AA0
GETTEXT, xrefs: 00390C97
EXISTS, xrefs: 00390B7C, 00390B97
GETITEMCOUNT, xrefs: 00390C1E
EXPAND, xrefs: 00390BF8
COLLAPSE, xrefs: 00390B01, 00390B1C
SELECT, xrefs: 00390D11
GETTOTALCOUNT, xrefs: 003909F2, 00390A17
GETSELECTED, xrefs: 00390C4E
ISCHECKED, xrefs: 00390CE1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 0ecbf6bc387b5973061b1a3acfe34f7d334c44562696f1dbd9ee2ada5ee56b1d
Instruction ID: ab19c8432f3b1d2c58ab62350f9a16a11cca99d33e4fe8ca9001dec29e3998a9
Opcode Fuzzy Hash: 0ecbf6bc387b5973061b1a3acfe34f7d334c44562696f1dbd9ee2ada5ee56b1d
Instruction Fuzzy Hash: BEE1CF362087018FCB1AEF28C45096AB7E5FF98314F15895CF8969B7A2DB31ED45CB81

Function 0038C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038B6AE,?,?), ref: 0038C9B5
_wcslen.LIBCMT ref: 0038C9F1
_wcslen.LIBCMT ref: 0038CA68
_wcslen.LIBCMT ref: 0038CA9E
_wcslen.LIBCMT ref: 0038CAF9
_wcslen.LIBCMT ref: 0038CB2F
_wcslen.LIBCMT ref: 0038CB7F

Strings

HKLM, xrefs: 0038CA98, 0038CA9D
HKEY_CLASSES_ROOT, xrefs: 0038CAF3, 0038CAF8
HKCR, xrefs: 0038CB29, 0038CB2E
HKCU, xrefs: 0038CBCE
HKEY_CURRENT_USER, xrefs: 0038CBBD
HKCC, xrefs: 0038CBAC
HKEY_CURRENT_CONFIG, xrefs: 0038CB79, 0038CB7E
HKU, xrefs: 0038CBF0
HKEY_USERS, xrefs: 0038CBDF
HKEY_LOCAL_MACHINE, xrefs: 0038CA62, 0038CA67

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2566e5c24cbe75e48517b41eab3b8953b2d7b1e0a28844b124c327f436dcf889
Instruction ID: 8004eed8ec49ad1b221acb3e3a3c6b0238aaff5a9bbd4f270c471fa09927fda7
Opcode Fuzzy Hash: 2566e5c24cbe75e48517b41eab3b8953b2d7b1e0a28844b124c327f436dcf889
Instruction Fuzzy Hash: 0671193262062A8BCB17FE7CD8516BB33A5AF60750F1211A9FC659B284E735CD45C7B0

Function 0039833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0039835A
_wcslen.LIBCMT ref: 0039836E
_wcslen.LIBCMT ref: 00398391
_wcslen.LIBCMT ref: 003983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0039361A,?), ref: 0039844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00398487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00398501
FreeLibrary.KERNEL32(?), ref: 0039850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0039851D
DestroyIcon.USER32(?), ref: 0039852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00398549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00398555

Strings

.icl, xrefs: 00398368
.dll, xrefs: 003983AB
.exe, xrefs: 00398388

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: c0717a206dffc67660ed922506bdccea835f538ff2ef4731c039486e0d3e7ab6
Instruction ID: 2313d3085b9b4c91c34bed3b6dc019ef1605e2793487c23f39d6f0273dee6a44
Opcode Fuzzy Hash: c0717a206dffc67660ed922506bdccea835f538ff2ef4731c039486e0d3e7ab6
Instruction Fuzzy Hash: 8261DF72500215BAEF16DF65DC81BFE77ACBF4AB21F10460AF815DA0D1DB74A990CBA0

Function 00307778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 003077D3
Unterminated group of comments, xrefs: 0034528C
#notrayicon, xrefs: 003077E7
#requireadmin, xrefs: 003077FF
", xrefs: 00345153
#include-once, xrefs: 0030782F
#OnAutoItStartRegister, xrefs: 00307817
#comments-start, xrefs: 0030785F, 003078B1
Bad directive syntax error, xrefs: 0034519A
#comments-end, xrefs: 003078D9
Cannot parse #include, xrefs: 00345279
#ce, xrefs: 003078ED
', xrefs: 00345169
#include, xrefs: 00307847
#cs, xrefs: 00307873, 003078C5

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e17793ac39405436e50167a8a1ee72d08264d2686a8d77eb525ccfb6426c1342
Instruction ID: e761dc2872966fbaceabfe5008d541e051849b3283133dcf1e23c4c7d9445ecd
Opcode Fuzzy Hash: e17793ac39405436e50167a8a1ee72d08264d2686a8d77eb525ccfb6426c1342
Instruction Fuzzy Hash: AA81ED71A06205BBDF23AF60DC52FBE3BA8AF54740F054025F805AE1D2EB71EA51C6A1

Function 00373E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00373EF8
_wcslen.LIBCMT ref: 00373F03
_wcslen.LIBCMT ref: 00373F5A
_wcslen.LIBCMT ref: 00373F98
GetDriveTypeW.KERNEL32(?), ref: 00373FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00374059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00374087

Strings

close, xrefs: 00373EFE, 00373F18
set cd door , xrefs: 00374028
closed, xrefs: 00373F08, 00373F2D, 00373F46, 00373F7E, 00373F97
open, xrefs: 00373F54, 00373F59
wait, xrefs: 00374044
close cd wait, xrefs: 00374072
open , xrefs: 00373FE5
type cdaudio alias cd wait, xrefs: 00374001

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 520bc2674cb069c0579fdb38b001be7e2aa25421a9cbfec39d9122b18aa66d41
Instruction ID: 5eb013ebfa346d16f3d66ac8f902b4fde3455c176d86df62e150e04fa03585c8
Opcode Fuzzy Hash: 520bc2674cb069c0579fdb38b001be7e2aa25421a9cbfec39d9122b18aa66d41
Instruction Fuzzy Hash: 1F7103726042129FC322EF24C89196BB7F4EF94754F00892DF899D7291EB35ED45CB91

Function 00365A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00365A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00365A40
SetWindowTextW.USER32(?,?), ref: 00365A57
GetDlgItem.USER32(?,000003EA), ref: 00365A6C
SetWindowTextW.USER32(00000000,?), ref: 00365A72
GetDlgItem.USER32(?,000003E9), ref: 00365A82
SetWindowTextW.USER32(00000000,?), ref: 00365A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00365AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00365AC3
GetWindowRect.USER32(?,?), ref: 00365ACC
_wcslen.LIBCMT ref: 00365B33
SetWindowTextW.USER32(?,?), ref: 00365B6F
GetDesktopWindow.USER32 ref: 00365B75
GetWindowRect.USER32(00000000), ref: 00365B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00365BD3
GetClientRect.USER32(?,?), ref: 00365BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00365C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00365C2F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f47b9cd74c98f67d5b12dfdd9fbf94699ef5f3ea59358403156296b519051fca
Instruction ID: 97890782a75a04550bf6101cff38a2ec1c7bb691854abe420f20c395d2a8dadb
Opcode Fuzzy Hash: f47b9cd74c98f67d5b12dfdd9fbf94699ef5f3ea59358403156296b519051fca
Instruction Fuzzy Hash: D5718031900B09AFDB22DFA8CE85A6EBBF9FF48704F104529E142A75A4D775E944CF50

Function 0037FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0037FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0037FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0037FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0037FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0037FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0037FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0037FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0037FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0037FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0037FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0037FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0037FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0037FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0037FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0037FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0037FECC
GetCursorInfo.USER32(?), ref: 0037FEDC
GetLastError.KERNEL32 ref: 0037FF1E

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 8d4a5dc3f4b7f48b6d8f3a09c7664f58c96b5476e4ae92915673dd5c966f512c
Instruction ID: b739baeeaebc5183aac98e4f6a796c7037858953b59587db8892ee88d6ab98d6
Opcode Fuzzy Hash: 8d4a5dc3f4b7f48b6d8f3a09c7664f58c96b5476e4ae92915673dd5c966f512c
Instruction Fuzzy Hash: AF4154B0D093196FDB219FBA8C8585EBFE8FF04754B50852AE11DEB281DB789901CF91

Function 003630F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0036318D
_wcslen.LIBCMT ref: 003631F8

Strings

[<, xrefs: 0036339A
NAME, xrefs: 00363335, 00363346
TEXT, xrefs: 0036347C
CLASSNN, xrefs: 003631F3, 00363204
INSTANCE, xrefs: 00363453
CLASS, xrefs: 00363188, 003631A5
REGEXPCLASS, xrefs: 00363255, 00363266

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[<
API String ID: 176396367-3478203385
Opcode ID: 57fd8d86d176db6aa139387a894b0dca9496f79f78953031ca670bc22f8dcada
Instruction ID: 00955ee4994fff36316b7adfca90778dbe3993687d722a7782bfd01c603a55df
Opcode Fuzzy Hash: 57fd8d86d176db6aa139387a894b0dca9496f79f78953031ca670bc22f8dcada
Instruction Fuzzy Hash: 46E1F532A00626ABCB1BDF68C451BEEFBB4BF45710F25C119E556E7244DF30AE858790

Function 003200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003200C6

Part of subcall function 003200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(003D070C,00000FA0,1D19F741,?,?,?,?,003423B3,000000FF), ref: 0032011C
Part of subcall function 003200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003423B3,000000FF), ref: 00320127
Part of subcall function 003200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003423B3,000000FF), ref: 00320138
Part of subcall function 003200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0032014E
Part of subcall function 003200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0032015C
Part of subcall function 003200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0032016A
Part of subcall function 003200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00320195
Part of subcall function 003200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003201A0

___scrt_fastfail.LIBCMT ref: 003200E7

Part of subcall function 003200A3: __onexit.LIBCMT ref: 003200A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00320122
InitializeConditionVariable, xrefs: 00320148
kernel32.dll, xrefs: 00320133
SleepConditionVariableCS, xrefs: 00320154
WakeAllConditionVariable, xrefs: 00320162

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 4830ac6874d5c08645e953e42c89d9c3d3dc758d64b10e73e9aeba00f2a2137a
Instruction ID: 78ae1cce0065a6aecf6f2b9445f66b220cb898ad7aa70a6b3d91445c84ec4980
Opcode Fuzzy Hash: 4830ac6874d5c08645e953e42c89d9c3d3dc758d64b10e73e9aeba00f2a2137a
Instruction Fuzzy Hash: 03210B366457216FE71B6B74BC06BAE739CDB05F51F010137F805EA292DB71AC048A94

Function 003744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0039CC08), ref: 00374527
_wcslen.LIBCMT ref: 0037453B
_wcslen.LIBCMT ref: 00374599
_wcslen.LIBCMT ref: 003745F4
_wcslen.LIBCMT ref: 0037463F
_wcslen.LIBCMT ref: 003746A7

Part of subcall function 0031F9F2: _wcslen.LIBCMT ref: 0031F9FD

GetDriveTypeW.KERNEL32(?,003C6BF0,00000061), ref: 00374743

Strings

unknown, xrefs: 00374708
network, xrefs: 0037469D, 003746A2
removable, xrefs: 003745EA, 003745EF
cdrom, xrefs: 0037458F, 00374594
all, xrefs: 00374531, 00374536
fixed, xrefs: 00374635, 0037463A
ramdisk, xrefs: 003746F1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: dc6e3afdf70d73871d1ccea64193cd5caf8c89de4aaf2672d6b225f8c2c61f98
Instruction ID: abb59fd501e1685f45c61b76e050a8be38affe1e42fbbb06b23974cef23988b9
Opcode Fuzzy Hash: dc6e3afdf70d73871d1ccea64193cd5caf8c89de4aaf2672d6b225f8c2c61f98
Instruction Fuzzy Hash: D5B116316083029FC726DF28C891A6EB7E5BF96720F51891DF4AACB291D734EC44CB52

Function 0039911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2

DragQueryPoint.SHELL32(?,?), ref: 00399147

Part of subcall function 00397674: ClientToScreen.USER32(?,?), ref: 0039769A
Part of subcall function 00397674: GetWindowRect.USER32(?,?), ref: 00397710
Part of subcall function 00397674: PtInRect.USER32(?,?,00398B89), ref: 00397720

SendMessageW.USER32(?,000000B0,?,?), ref: 003991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00399225
SendMessageW.USER32(?,000000B0,?,?), ref: 0039923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00399255
SendMessageW.USER32(?,000000B1,?,?), ref: 00399277
DragFinish.SHELL32(?), ref: 0039927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00399371

Strings

@GUI_DRAGFILE, xrefs: 00399320
@GUI_DROPID, xrefs: 0039929E
p#=, xrefs: 003992BB
@GUI_DRAGID, xrefs: 003992E9

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#=
API String ID: 221274066-673275980
Opcode ID: 2f69269afefbcb548e6f8fcc4b9a166c851ec95820811eea246e36635fde5e76
Instruction ID: 49314b8668127a88da0c4a3cda082e2c620a0a15d7e7a06874873559d23db3ce
Opcode Fuzzy Hash: 2f69269afefbcb548e6f8fcc4b9a166c851ec95820811eea246e36635fde5e76
Instruction Fuzzy Hash: F861AC72108301AFD702EF64DC95EAFBBE8EF89750F00091EF591971A1DB309A48CB62

Function 0030326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(003D1990), ref: 00342F8D
GetMenuItemCount.USER32(003D1990), ref: 0034303D
GetCursorPos.USER32(?), ref: 00343081
SetForegroundWindow.USER32(00000000), ref: 0034308A
TrackPopupMenuEx.USER32(003D1990,00000000,?,00000000,00000000,00000000), ref: 0034309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003430A9

Strings

0, xrefs: 0030327D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: c7b26a3d257cb0cc4d411d0a12f2293d7204799fcfad2ea209c9ae8ed31e8528
Instruction ID: 39326caf822522600cb41fe3553b6e311b57880e88b57001cee896cf72da61c6
Opcode Fuzzy Hash: c7b26a3d257cb0cc4d411d0a12f2293d7204799fcfad2ea209c9ae8ed31e8528
Instruction Fuzzy Hash: BA71F431645205BEEB238F65CC59FAABFACFF05324F204216F515AE1E0C7B2A954CB50

Function 00396CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00396DEB

Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00396E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00396E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00396E94
DestroyWindow.USER32(?), ref: 00396EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00300000,00000000), ref: 00396EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00396EFD
GetDesktopWindow.USER32 ref: 00396F16
GetWindowRect.USER32(00000000), ref: 00396F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00396F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00396F4D

Part of subcall function 00319944: GetWindowLongW.USER32(?,000000EB), ref: 00319952

Strings

tooltips_class32, xrefs: 00396E58, 00396EDD
0, xrefs: 00396D98

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 17e015b4276540a93bb5533149c80432d8e7705f7430c36e2b2f2e5002812fab
Instruction ID: e3a498311d97f9a5092847082ee3c6159d39026cb151cb621a67a26793395618
Opcode Fuzzy Hash: 17e015b4276540a93bb5533149c80432d8e7705f7430c36e2b2f2e5002812fab
Instruction Fuzzy Hash: 21715874505244AFDB22CF18EC69FBABBE9FB89304F44041EF99A87261C771E906CB51

Function 0037C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0037C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0037C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0037C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0037C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0037C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0037C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0037C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0037C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0037C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0037C5F0
InternetCloseHandle.WININET(00000000), ref: 0037C5FB

Strings

, xrefs: 0037C575

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d8f900aa760dff961f525a6c9fb0e9a6dd13469c5ef1ad7c2be053f2799b9cd9
Instruction ID: 49113ad6de594f552479e9be13c16746e100e32f621cb0c5f569727fb5aba31d
Opcode Fuzzy Hash: d8f900aa760dff961f525a6c9fb0e9a6dd13469c5ef1ad7c2be053f2799b9cd9
Instruction Fuzzy Hash: 3C514FB1510608BFDB328FA1C988AAB7BBCFF09754F00941EF94996510D73AE944DB60

Function 0039856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00398592
GetFileSize.KERNEL32(00000000,00000000), ref: 003985A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 003985AD
CloseHandle.KERNEL32(00000000), ref: 003985BA
GlobalLock.KERNEL32(00000000), ref: 003985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003985D7
GlobalUnlock.KERNEL32(00000000), ref: 003985E0
CloseHandle.KERNEL32(00000000), ref: 003985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 003985F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0039FC38,?), ref: 00398611
GlobalFree.KERNEL32(00000000), ref: 00398621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00398641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00398671
DeleteObject.GDI32(00000000), ref: 00398699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003986AF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 5f3e8eb52625c7d2a620a88c46788eb5882b95afe186c2ce5df47ecfd92d51a9
Instruction ID: 04acf75746a4cbc8c137d7666688596b608a5a17b0896fda4809ee90d5889ae9
Opcode Fuzzy Hash: 5f3e8eb52625c7d2a620a88c46788eb5882b95afe186c2ce5df47ecfd92d51a9
Instruction Fuzzy Hash: 2A413A75600208AFDB12DFA5CC88EAA7BBCFF8A711F114459F905EB260DB319D05CB20

Function 003714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00371502
VariantCopy.OLEAUT32(?,?), ref: 0037150B
VariantClear.OLEAUT32(?), ref: 00371517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00371657
VariantInit.OLEAUT32(?), ref: 00371708
SysFreeString.OLEAUT32(?), ref: 0037178C
VariantClear.OLEAUT32(?), ref: 003717D8
VariantClear.OLEAUT32(?), ref: 003717E7
VariantInit.OLEAUT32(00000000), ref: 00371823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00371625
Default, xrefs: 003716AF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a2d37777e4a0c867dc6e3e7014db3553cd5f01a71d2eeaf5040a5e83bde872fb
Instruction ID: bd235da55b791da039c93c29c59eae0fe1cd43bf7ae8afffc66f340a5c610895
Opcode Fuzzy Hash: a2d37777e4a0c867dc6e3e7014db3553cd5f01a71d2eeaf5040a5e83bde872fb
Instruction Fuzzy Hash: 17D10472A00105DBDF2A9F69D885BB9B7B9BF4A710F14C05AE40AAF580DB38DC41DB51

Function 0038B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 0038C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038B6AE,?,?), ref: 0038C9B5
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038C9F1
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA68
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0038B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0038B80A
RegCloseKey.ADVAPI32(?), ref: 0038B87E
RegCloseKey.ADVAPI32(?), ref: 0038B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0038B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0038B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0038B922
FreeLibrary.KERNEL32(00000000), ref: 0038B983
RegCloseKey.ADVAPI32(00000000), ref: 0038B994

Strings

advapi32.dll, xrefs: 0038B8ED
RegDeleteKeyExW, xrefs: 0038B8FE

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0386df49f78f9299949bdfcba26d8fd59f0986079a3d293cc0c9454b769cb0d1
Instruction ID: 2e52d8f3adfe33ad2642a615c290d8bece86c2a15f4f7e8d2da3298cfc2e6238
Opcode Fuzzy Hash: 0386df49f78f9299949bdfcba26d8fd59f0986079a3d293cc0c9454b769cb0d1
Instruction Fuzzy Hash: 38C17B34205342AFD712EF24C495F2ABBE5BF84318F15859CF59A8B2A2CB31ED45CB91

Function 0038255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003825E8
CreateCompatibleDC.GDI32(?), ref: 003825F4
SelectObject.GDI32(00000000,?), ref: 00382601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0038266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003826D0
SelectObject.GDI32(?,?), ref: 003826D8
DeleteObject.GDI32(?), ref: 003826E1
DeleteDC.GDI32(?), ref: 003826E8
ReleaseDC.USER32(00000000,?), ref: 003826F3

Strings

(, xrefs: 0038268D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8418b786c9c8098dc32de79e7758c0df3c5844160a98797935d4e9025d44a6a4
Instruction ID: 6a2698b2bcc11f42632282d2b54b59152bca763bfb38f517cd86a2900b4f2e9f
Opcode Fuzzy Hash: 8418b786c9c8098dc32de79e7758c0df3c5844160a98797935d4e9025d44a6a4
Instruction Fuzzy Hash: EB610375D00219EFCF05DFA4D884EAEBBB9FF48310F20856AE955A7250E771A941CF60

Function 0033DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0033DAA1

Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D659
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D66B
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D67D
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D68F
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6A1
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6B3
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6C5
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6D7
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6E9
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D6FB
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D70D
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D71F
Part of subcall function 0033D63C: _free.LIBCMT ref: 0033D731

_free.LIBCMT ref: 0033DA96

Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0

_free.LIBCMT ref: 0033DAB8
_free.LIBCMT ref: 0033DACD
_free.LIBCMT ref: 0033DAD8
_free.LIBCMT ref: 0033DAFA
_free.LIBCMT ref: 0033DB0D
_free.LIBCMT ref: 0033DB1B
_free.LIBCMT ref: 0033DB26
_free.LIBCMT ref: 0033DB5E
_free.LIBCMT ref: 0033DB65
_free.LIBCMT ref: 0033DB82
_free.LIBCMT ref: 0033DB9A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e03c394a56c8d4b95fdd3fff21d489a41358c0d454e8bef3b4c900a6f479bf23
Instruction ID: e222e8fe3f041ad41d0897d0bb7342bbbefa32180e13541a3c95c5510ffcabc0
Opcode Fuzzy Hash: e03c394a56c8d4b95fdd3fff21d489a41358c0d454e8bef3b4c900a6f479bf23
Instruction Fuzzy Hash: D83138326047059FEB23AA39F885B5BB7E9FF01311F164469F459DB191DF31AC908B20

Function 0036365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0036369C
_wcslen.LIBCMT ref: 003636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00363797
GetClassNameW.USER32(?,?,00000400), ref: 0036380C
GetDlgCtrlID.USER32(?), ref: 0036385D
GetWindowRect.USER32(?,?), ref: 00363882
GetParent.USER32(?), ref: 003638A0
ScreenToClient.USER32(00000000), ref: 003638A7
GetClassNameW.USER32(?,?,00000100), ref: 00363921
GetWindowTextW.USER32(?,?,00000400), ref: 0036395D

Strings

%s%u, xrefs: 00363734

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 4f462a72efeff67642fd85494c63b3dd86a9312cd2a56622609af2d657560a3d
Instruction ID: 24b0c1145067998114da21742528206a2c2a5a899d9592a06d7b47aebe35279f
Opcode Fuzzy Hash: 4f462a72efeff67642fd85494c63b3dd86a9312cd2a56622609af2d657560a3d
Instruction Fuzzy Hash: 8991A071204706AFD71ADF24C885BEAF7E8FF44350F008529F99AD6194DB30EA55CB91

Function 00364954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00364994
GetWindowTextW.USER32(?,?,00000400), ref: 003649DA
_wcslen.LIBCMT ref: 003649EB
CharUpperBuffW.USER32(?,00000000), ref: 003649F7
_wcsstr.LIBVCRUNTIME ref: 00364A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00364A64
GetWindowTextW.USER32(?,?,00000400), ref: 00364A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00364AE6
GetClassNameW.USER32(?,?,00000400), ref: 00364B20
GetWindowRect.USER32(?,?), ref: 00364B8B

Strings

ThumbnailClass, xrefs: 00364A6F, 00364AF1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 24bb8a1abf718dd43e32ea7872e4b045047d1c9dd1dd9e3b41a093f20fbfeac8
Instruction ID: 517c15bd8835f5db5f7c55519a920c2bbdfe8402cbe707decd7e029445e20c77
Opcode Fuzzy Hash: 24bb8a1abf718dd43e32ea7872e4b045047d1c9dd1dd9e3b41a093f20fbfeac8
Instruction Fuzzy Hash: A791AD31808205AFDB06DF14C985BAA77E8FF84714F04846AFD859B19AEB30ED45CBA1

Function 0036BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(003D1990,000000FF,00000000,00000030), ref: 0036BFAC
SetMenuItemInfoW.USER32(003D1990,00000004,00000000,00000030), ref: 0036BFE1
Sleep.KERNEL32(000001F4), ref: 0036BFF3
GetMenuItemCount.USER32(?), ref: 0036C039
GetMenuItemID.USER32(?,00000000), ref: 0036C056
GetMenuItemID.USER32(?,-00000001), ref: 0036C082
GetMenuItemID.USER32(?,?), ref: 0036C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0036C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0036C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0036C145

Strings

0, xrefs: 0036BF3D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 4fecf2680df4e343c1ab67a8aad347b6f565458f349993c41921b1030d597ab1
Instruction ID: 762b4d99c6847aa85db0d4572f28d0817ac29a5beff15562f0ea9ec3a8a4c7f3
Opcode Fuzzy Hash: 4fecf2680df4e343c1ab67a8aad347b6f565458f349993c41921b1030d597ab1
Instruction Fuzzy Hash: 4061A4B0920245AFDF12CF64DC88AFEBB78EB06344F019016F991A7296C731ED44CB60

Function 0038CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0038CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0038CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0038CD48

Part of subcall function 0038CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0038CCAA
Part of subcall function 0038CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0038CCBD
Part of subcall function 0038CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0038CCCF
Part of subcall function 0038CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0038CD05
Part of subcall function 0038CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0038CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0038CCF3

Strings

advapi32.dll, xrefs: 0038CCB8
RegDeleteKeyExW, xrefs: 0038CCC9

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 9e56dca81c5f0bcf76c5d59a63b9dcd27c4e970a7b21e079d86965db0d54ae85
Instruction ID: a39b60dc160f144c5e2ce23dce2765d405ce66b9f7dfc9a37c9851035d801382
Opcode Fuzzy Hash: 9e56dca81c5f0bcf76c5d59a63b9dcd27c4e970a7b21e079d86965db0d54ae85
Instruction Fuzzy Hash: 5C318071911228BBDB22AB55DC88EFFBB7CEF45740F0111A6E906E3240D6309E49DBB0

Function 00373D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00373D40
_wcslen.LIBCMT ref: 00373D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00373D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00373DBE
RemoveDirectoryW.KERNEL32(?), ref: 00373DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00373E55
CloseHandle.KERNEL32(00000000), ref: 00373E60
CloseHandle.KERNEL32(00000000), ref: 00373E6B

Strings

\??\%s, xrefs: 00373D5B
\, xrefs: 00373D77
:, xrefs: 00373D82

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 32f2888565ab76a7a6a494ef494b90896d52c592a1a6448defc7fe35725ac273
Instruction ID: aebc41b5b93d5adc958eb1c15fdd79a8e5c1a791bc1bba062d145b3d92778cf1
Opcode Fuzzy Hash: 32f2888565ab76a7a6a494ef494b90896d52c592a1a6448defc7fe35725ac273
Instruction Fuzzy Hash: 09318176910219ABDB329BA0DC89FEB37BCEF88700F1181B6F509E6160E77497449B64

Function 0036E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0036E6B4

Part of subcall function 0031E551: timeGetTime.WINMM(?,?,0036E6D4), ref: 0031E555

Sleep.KERNEL32(0000000A), ref: 0036E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0036E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0036E727
SetActiveWindow.USER32 ref: 0036E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0036E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0036E773
Sleep.KERNEL32(000000FA), ref: 0036E77E
IsWindow.USER32 ref: 0036E78A
EndDialog.USER32(00000000), ref: 0036E79B

Strings

BUTTON, xrefs: 0036E719

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a50a26e3ddac7d02dc52126e035238b9389729442e2d94f2aff93b438f00ff76
Instruction ID: 45c9cc7588ee161c590a882f9d39803b9b6cb3b56702acf846291f018c6e5626
Opcode Fuzzy Hash: a50a26e3ddac7d02dc52126e035238b9389729442e2d94f2aff93b438f00ff76
Instruction Fuzzy Hash: 9A21C3B8210301AFEB035F64FC89A263B6DFB65348F109427F841821A5DBB2EC088B24

Function 0036E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0036EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0036EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0036EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0036EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0036EAA7

Strings

status PlayMe mode, xrefs: 0036EA58
alias PlayMe, xrefs: 0036EA36
close PlayMe, xrefs: 0036EA6E, 0036EA9B
play PlayMe, xrefs: 0036EAA2
open , xrefs: 0036EA0C
play PlayMe wait, xrefs: 0036EA91

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ea08dca934d798025d808113dd8cbc3f3d96b8a753a1f1ad77f864e3004c39f8
Instruction ID: d93387462f3759599a8101c1e55ea7de258174a34a425eab17ffa38afee6907c
Opcode Fuzzy Hash: ea08dca934d798025d808113dd8cbc3f3d96b8a753a1f1ad77f864e3004c39f8
Instruction Fuzzy Hash: 4C11A035A9125979D722A7A5DD5BEFF6A7CEFD1B00F00042AB801E60D5EFB00E08C6B0

Function 00369F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0036A012
SetKeyboardState.USER32(?), ref: 0036A07D
GetAsyncKeyState.USER32(000000A0), ref: 0036A09D
GetKeyState.USER32(000000A0), ref: 0036A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0036A0E3
GetKeyState.USER32(000000A1), ref: 0036A0F4
GetAsyncKeyState.USER32(00000011), ref: 0036A120
GetKeyState.USER32(00000011), ref: 0036A12E
GetAsyncKeyState.USER32(00000012), ref: 0036A157
GetKeyState.USER32(00000012), ref: 0036A165
GetAsyncKeyState.USER32(0000005B), ref: 0036A18E
GetKeyState.USER32(0000005B), ref: 0036A19C

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 726fff2f6b6e161eee5dbdd2a9d4fb890a697a18dd21a1cb948c0488dba2084b
Instruction ID: 7d489310ea8d3e4232c55194abe8eb6476757f4f3ff721149d2b0318cc506844
Opcode Fuzzy Hash: 726fff2f6b6e161eee5dbdd2a9d4fb890a697a18dd21a1cb948c0488dba2084b
Instruction Fuzzy Hash: 3F51AC30504B8429FB37DB6048157EBBFF55F13380F09C59AD5C26B5C6DA64AA8CCB62

Function 00365CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00365CE2
GetWindowRect.USER32(00000000,?), ref: 00365CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00365D59
GetDlgItem.USER32(?,00000002), ref: 00365D69
GetWindowRect.USER32(00000000,?), ref: 00365D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00365DCF
GetDlgItem.USER32(?,000003E9), ref: 00365DDD
GetWindowRect.USER32(00000000,?), ref: 00365DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00365E31
GetDlgItem.USER32(?,000003EA), ref: 00365E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00365E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00365E67

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a20530e96ebe5ca1fc579395b646805a907f05e85de945310fc096d648ef0908
Instruction ID: 854eda2fc0d2bfc4e16c4771ba8e8113d297ab3344db88b2aed3fcde48f16fe0
Opcode Fuzzy Hash: a20530e96ebe5ca1fc579395b646805a907f05e85de945310fc096d648ef0908
Instruction Fuzzy Hash: 0A512E71B10605AFDF19CFA8CD89AAEBBB9FB48300F548129F515E7294D7719E00CB60

Function 00318BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00318F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00318BE8,?,00000000,?,?,?,?,00318BBA,00000000,?), ref: 00318FC5

DestroyWindow.USER32(?), ref: 00318C81
KillTimer.USER32(00000000,?,?,?,?,00318BBA,00000000,?), ref: 00318D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00356973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00318BBA,00000000,?), ref: 003569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00318BBA,00000000,?), ref: 003569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00318BBA,00000000), ref: 003569D4
DeleteObject.GDI32(00000000), ref: 003569E6

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 76bea65e06362e1b362ff8d8ad80c800c81057a14240b9155362e8ab3037bf25
Instruction ID: 7cfc78ddff563337b7cdc83b51910e0d0b296703e510c57c7f95dead1806e903
Opcode Fuzzy Hash: 76bea65e06362e1b362ff8d8ad80c800c81057a14240b9155362e8ab3037bf25
Instruction Fuzzy Hash: 9561AC31502600EFCB2B8F14E959BA5B7F9FB48312F55451AE4429BA70CB32ACC4CF98

Function 00319838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00319944: GetWindowLongW.USER32(?,000000EB), ref: 00319952

GetSysColor.USER32(0000000F), ref: 00319862

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d5eee4fe0d59ffa6e4a80a9e0b99e18a66a93d25542066a4d795ac5159ac1dd8
Instruction ID: da99c904b70a31748fd81c37d7d2f49a32951db77357cfcd0255f094047fb327
Opcode Fuzzy Hash: d5eee4fe0d59ffa6e4a80a9e0b99e18a66a93d25542066a4d795ac5159ac1dd8
Instruction Fuzzy Hash: 04418F31104640AFDB265F389C98BFA3BA9BB0A731F154617F9A28B1E1D7319C82DB11

Function 00338D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.2, xrefs: 0033903A, 00338FD0, 00338FF2

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID: .2
API String ID: 0-1634799438
Opcode ID: 30db5770d1c83ccdbaf4fe98ecfbfc0ceea2fd7673df9b0c7958933ae6546ee8
Instruction ID: 3b531becc4477c0f2590aa556f42e312cc28238d8734bc9a5278208467fe7057
Opcode Fuzzy Hash: 30db5770d1c83ccdbaf4fe98ecfbfc0ceea2fd7673df9b0c7958933ae6546ee8
Instruction Fuzzy Hash: A6C1F374904349EFCB17DFA8E881BADBBB8AF0A310F15419AF455AB392C7758941CF60

Function 003696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0034F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00369717
LoadStringW.USER32(00000000,?,0034F7F8,00000001), ref: 00369720

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0034F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00369742
LoadStringW.USER32(00000000,?,0034F7F8,00000001), ref: 00369745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00369866

Strings

Error: , xrefs: 0036981D
Line %d:, xrefs: 003697A0
Line %d (File "%s"):, xrefs: 0036978F
^ ERROR, xrefs: 003697FB
%s (%d) : ==> %s: %s %s, xrefs: 0036984A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4ef6df93832da89c1d0bda2dd893bd4c2f98a4ae071768676be1e5f05b831ada
Instruction ID: b9515b0a36cccd20eead479c62555004b446711674f4cee9ea23d789d0091f3b
Opcode Fuzzy Hash: 4ef6df93832da89c1d0bda2dd893bd4c2f98a4ae071768676be1e5f05b831ada
Instruction Fuzzy Hash: 1D412D72901209AACF06EBE0DD97EEE777CAF14340F504066F605BA096EB356F48CB61

Function 003606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00360804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0036082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00360837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0036083C

Strings

\IPC$, xrefs: 00360784
\CLSID, xrefs: 00360724
SOFTWARE\Classes\, xrefs: 0036070E

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2a2c39f66730efdb89e2f187c6d215fb89248825cfce44d2d8df8e72b5cadcbf
Instruction ID: 85eb4cdc3d2af598bc46c8d77fc4a1c14f6b11ad3f0708ffeb5662619357b2f9
Opcode Fuzzy Hash: 2a2c39f66730efdb89e2f187c6d215fb89248825cfce44d2d8df8e72b5cadcbf
Instruction Fuzzy Hash: 9D412D72D11229ABCF16EFA4DC96DEEB778FF04350F054169E901A71A1EB309E44CB90

Function 00393F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0039403B
CreateCompatibleDC.GDI32(00000000), ref: 00394042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00394055
SelectObject.GDI32(00000000,00000000), ref: 0039405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00394068
DeleteDC.GDI32(00000000), ref: 00394072
GetWindowLongW.USER32(?,000000EC), ref: 0039407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00394092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0039409E

Strings

static, xrefs: 00393FD3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 08b19937b793dcd02902bfcdf976912d02fe7cf8e39f31796deeac215a22f624
Instruction ID: 56e87ea181595c5198423557afda12ffa87b6093933a61b40f2f6feaadac48cd
Opcode Fuzzy Hash: 08b19937b793dcd02902bfcdf976912d02fe7cf8e39f31796deeac215a22f624
Instruction Fuzzy Hash: 1D316C32511215ABDF239FA4DC09FDA3B6CEF0D324F111211FA19E61A0C776D821DB64

Function 00383C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00383C5C
CoInitialize.OLE32(00000000), ref: 00383C8A
CoUninitialize.OLE32 ref: 00383C94
_wcslen.LIBCMT ref: 00383D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00383DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00383ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00383F0E
CoGetObject.OLE32(?,00000000,0039FB98,?), ref: 00383F2D
SetErrorMode.KERNEL32(00000000), ref: 00383F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00383FC4
VariantClear.OLEAUT32(?), ref: 00383FD8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 02bcbf4cc9341070beaadce536fe5b285c0228e28c28be253dee4948a96361b0
Instruction ID: 72d40b709e0cc4d0bbf65527acb2536bed94c1fe1a40af4e51299107d99d5d41
Opcode Fuzzy Hash: 02bcbf4cc9341070beaadce536fe5b285c0228e28c28be253dee4948a96361b0
Instruction Fuzzy Hash: 88C125716083059FD702EF68C88492BB7E9FF89B44F10499DF98A9B251D731EE05CB92

Function 00377A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00377AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00377B8F
SHGetDesktopFolder.SHELL32(?), ref: 00377BA3
CoCreateInstance.OLE32(0039FD08,00000000,00000001,003C6E6C,?), ref: 00377BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00377C74
CoTaskMemFree.OLE32(?,?), ref: 00377CCC
SHBrowseForFolderW.SHELL32(?), ref: 00377D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00377D7A
CoTaskMemFree.OLE32(00000000), ref: 00377D81
CoTaskMemFree.OLE32(00000000), ref: 00377DD6
CoUninitialize.OLE32 ref: 00377DDC

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 7598ff8cd5f7a79a5e0c86d70cd9b1444d9ed8aa0ca209e4824d7bdf9541875f
Instruction ID: ae1a36c33b7e62b165f1a5eb45a94dde438d171bd5c102d73beb2ced6ae093b9
Opcode Fuzzy Hash: 7598ff8cd5f7a79a5e0c86d70cd9b1444d9ed8aa0ca209e4824d7bdf9541875f
Instruction Fuzzy Hash: 2DC12A75A04209AFCB15DFA4C894DAEBBF9FF48304B148499E81ADB361D735EE41CB90

Function 0039541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00395504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00395515
CharNextW.USER32(00000158), ref: 00395544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00395585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0039559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003955AC

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 813be5b66fba9912c82226d82e1c3f9c410aeb5bd4e19a08686c6d1779d62940
Instruction ID: 6d8d4c3e12e48c30d5e4ed68a81fc7adcf556d69991a0a9e9fbc1d72a6794d71
Opcode Fuzzy Hash: 813be5b66fba9912c82226d82e1c3f9c410aeb5bd4e19a08686c6d1779d62940
Instruction Fuzzy Hash: 5361BD31904608EFDF138F91CC849FE7BB9EB0A721F114146F925AB291D7709AC0DB60

Function 0035FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0035FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0035FB08
VariantInit.OLEAUT32(?), ref: 0035FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0035FB3A
VariantCopy.OLEAUT32(?,?), ref: 0035FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0035FBA1
VariantClear.OLEAUT32(?), ref: 0035FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0035FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0035FBCC
VariantClear.OLEAUT32(?), ref: 0035FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0035FBE9

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 438f0f3adb1028f4315ba4b7c308bdc5aa2f0f74c3c2c2b4cc9b23bb049a5f74
Instruction ID: ec668a2a42be4d0d74579ca3554b918365b1327aee47d3eef0eb120d555c9b2c
Opcode Fuzzy Hash: 438f0f3adb1028f4315ba4b7c308bdc5aa2f0f74c3c2c2b4cc9b23bb049a5f74
Instruction Fuzzy Hash: 68416035A00219DFCF06DF69C854DEEBBB9FF08345F008069E905AB261CB31A945CFA1

Function 00369C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00369CA1
GetAsyncKeyState.USER32(000000A0), ref: 00369D22
GetKeyState.USER32(000000A0), ref: 00369D3D
GetAsyncKeyState.USER32(000000A1), ref: 00369D57
GetKeyState.USER32(000000A1), ref: 00369D6C
GetAsyncKeyState.USER32(00000011), ref: 00369D84
GetKeyState.USER32(00000011), ref: 00369D96
GetAsyncKeyState.USER32(00000012), ref: 00369DAE
GetKeyState.USER32(00000012), ref: 00369DC0
GetAsyncKeyState.USER32(0000005B), ref: 00369DD8
GetKeyState.USER32(0000005B), ref: 00369DEA

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1a62de9ebc1c6cb9e26b8c7b3a279337356776c2ce737568249da3dd2be0d532
Instruction ID: 8154f5476d798145f5272892fa4f3aaee5d004cad18a962773a10575a9f687fe
Opcode Fuzzy Hash: 1a62de9ebc1c6cb9e26b8c7b3a279337356776c2ce737568249da3dd2be0d532
Instruction Fuzzy Hash: 2441F8345047C96DFF338765C8043B5BEA86F12344F0AC06BDAC6565C6DBB599C8C7A2

Function 0038055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003805BC
inet_addr.WSOCK32(?), ref: 0038061C
gethostbyname.WSOCK32(?), ref: 00380628
IcmpCreateFile.IPHLPAPI ref: 00380636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003807B9
WSACleanup.WSOCK32 ref: 003807BF

Strings

Ping, xrefs: 00380676

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ee4e40e6e8e92b25b9635730b92d4e227939e7888b7484218cdfe1ab91d834db
Instruction ID: 0d4e72eba8d8de316a4a1c01fc42d48568e068d15de963d5c7a18bf4f0bfd0f3
Opcode Fuzzy Hash: ee4e40e6e8e92b25b9635730b92d4e227939e7888b7484218cdfe1ab91d834db
Instruction Fuzzy Hash: A691AC356083019FD766EF15C888F1ABBE4AF48318F1585A9F4698B6A2C730ED49CF91

Function 00388CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00388CF3

Part of subcall function 00368E54: _wcslen.LIBCMT ref: 00368E77

_wcslen.LIBCMT ref: 00388D4E
_wcslen.LIBCMT ref: 00388D9C
_wcslen.LIBCMT ref: 00388DDC
_wcslen.LIBCMT ref: 00388E6E

Strings

stdcall, xrefs: 00388DD6, 00388DDB
winapi, xrefs: 00388D96, 00388D9B
none, xrefs: 00388E65, 00388E6A
cdecl, xrefs: 00388D48, 00388D4D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 76ffb8eaef19f64e3f8d3d3810b1db72677581b0960a13adfcbc33cd88b1951b
Instruction ID: 4aec8becd61c4ec834f8d1d747ba83a4f29350c53c228759631a27948b748f2d
Opcode Fuzzy Hash: 76ffb8eaef19f64e3f8d3d3810b1db72677581b0960a13adfcbc33cd88b1951b
Instruction Fuzzy Hash: 1F51B631A002169BCF16EF6CC9509BEB7A5BF64314BA14269E426EB2C5DB31ED44C790

Function 0038372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00383774
CoUninitialize.OLE32 ref: 0038377F
CoCreateInstance.OLE32(?,00000000,00000017,0039FB78,?), ref: 003837D9
IIDFromString.OLE32(?,?), ref: 0038384C
VariantInit.OLEAUT32(?), ref: 003838E4
VariantClear.OLEAUT32(?), ref: 00383936

Strings

Invalid parameter, xrefs: 00383865
NULL Pointer assignment, xrefs: 0038381E
Failed to create object, xrefs: 003837E4, 0038389A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 66b2c37a2a00d50fd6666f2609ec8a725a7b2bdcd2cc14f4fb75569701bd97ad
Instruction ID: a29181cad000f21ef4d0d84d2266a24b9e018e749018b54c667a0645d5650ce2
Opcode Fuzzy Hash: 66b2c37a2a00d50fd6666f2609ec8a725a7b2bdcd2cc14f4fb75569701bd97ad
Instruction Fuzzy Hash: 4F619F71608311AFD712EF54C849FAAB7E8EF49B10F104889F9959B391D770EE48CB92

Function 00373388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003733CF

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003733F0

Strings

Error: , xrefs: 003734D1
Line %d (File "%s"):, xrefs: 00373443, 0037345C
Incorrect parameters to object property !, xrefs: 003734AB
^ ERROR , xrefs: 0037349E
"%s" (%d) : ==> %s:, xrefs: 00373522
"%s" (%d) : ==> %s:%s%s, xrefs: 00373504

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ab069fe65631e625b28a1530ba10f975e10a9b0dbd656bc388bc45fab6561fb2
Instruction ID: 037947fdcf13df00746f3f235310a17bd76803418e1ba879c3e023ce49987670
Opcode Fuzzy Hash: ab069fe65631e625b28a1530ba10f975e10a9b0dbd656bc388bc45fab6561fb2
Instruction Fuzzy Hash: 69517C71901209ABDF1BEBA0DD52EEEB778AF04340F108166F505B60A2EB356F58DB60

Function 0036B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0036B5FC
_wcslen.LIBCMT ref: 0036B608
_wcslen.LIBCMT ref: 0036B64D
_wcslen.LIBCMT ref: 0036B68C
_wcslen.LIBCMT ref: 0036B6C7

Strings

EXISTS, xrefs: 0036B686, 0036B68B
REMOVE, xrefs: 0036B602, 0036B607
KEYS, xrefs: 0036B647, 0036B64C
APPEND, xrefs: 0036B6C1, 0036B6C6

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: dd8866c8586bbb60d1ede63badebf499e62b061744d3293e7e9d2ce781525036
Instruction ID: e70b13a220f5add30bb5bdba6fe3f4580d2594266a7ee3ed8689e8a81abc7929
Opcode Fuzzy Hash: dd8866c8586bbb60d1ede63badebf499e62b061744d3293e7e9d2ce781525036
Instruction Fuzzy Hash: 3241D832A011269BCB125F7DC9915BEF7A5AF60754B268129E461DB288E731CDC1CBA0

Function 00375393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00375416
GetLastError.KERNEL32 ref: 00375420
SetErrorMode.KERNEL32(00000000,READY), ref: 003754A7

Strings

UNKNOWN, xrefs: 00375444
NOTREADY, xrefs: 0037544B
READONLY, xrefs: 00375452
READY, xrefs: 00375460, 00375468
INVALID, xrefs: 00375459

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 3e644080cf6825220b92c61d1857fec23c3a83c2d9f9010bab339696db9f01ad
Instruction ID: 0b7d42cc2e3fa977ed273a8adc4b9bc4686d1002ed101b8d774309ceaff04639
Opcode Fuzzy Hash: 3e644080cf6825220b92c61d1857fec23c3a83c2d9f9010bab339696db9f01ad
Instruction Fuzzy Hash: F531D635A005049FDB26DF69C485FAA7BB8EF05305F15C05AE40ACF292DBB5DD82CB90

Function 00393C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00393C79
SetMenu.USER32(?,00000000), ref: 00393C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00393D10
IsMenu.USER32(?), ref: 00393D24
CreatePopupMenu.USER32 ref: 00393D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00393D5B
DrawMenuBar.USER32 ref: 00393D63

Strings

F, xrefs: 00393D4E
0, xrefs: 00393C54

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 35c5217bf69ea8ba6ff6fb7f1ec5e08e03a8394bd19c182dfe856b9a365410cd
Instruction ID: 44f0fd3f8b167d117ad8a7fff05fa9a6a22b174b129c74f03ee5af31718911fc
Opcode Fuzzy Hash: 35c5217bf69ea8ba6ff6fb7f1ec5e08e03a8394bd19c182dfe856b9a365410cd
Instruction Fuzzy Hash: F4417CB9A01209EFDF15CFA4E854AAA7BB9FF49350F150029F94697360D731AA10CF94

Function 00361EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 00363CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00363CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00361F64
GetDlgCtrlID.USER32 ref: 00361F6F
GetParent.USER32 ref: 00361F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00361F8E
GetDlgCtrlID.USER32(?), ref: 00361F97
GetParent.USER32(?), ref: 00361FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00361FAE

Strings

ListBox, xrefs: 00361F21
ComboBox, xrefs: 00361EEC

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: cd5e92716df21a6bea2d2522d32290b9114ff9f180650734ffd6ff01087d45d6
Instruction ID: 6fee369ca50d210ea6eb6cb01d0a443f8cb535e01d928c9894ad5a81eea28ddd
Opcode Fuzzy Hash: cd5e92716df21a6bea2d2522d32290b9114ff9f180650734ffd6ff01087d45d6
Instruction Fuzzy Hash: F021CF71900214BBCF06AFA0CC95EEEFBB8EF15310F048256F961AB2E5CB755918DB60

Function 00393A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00393A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00393AA0
GetWindowLongW.USER32(?,000000F0), ref: 00393AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00393AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00393B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00393BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00393BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00393BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00393BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00393C13

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 9245a3dced86cb4afe146e400e809158a37b9bb1eb333d427fe8b269692d63f6
Instruction ID: 771250ab7feb24e1faee25dc82a61e33e602b7dd2cfcc3bd244640be0d88b027
Opcode Fuzzy Hash: 9245a3dced86cb4afe146e400e809158a37b9bb1eb333d427fe8b269692d63f6
Instruction Fuzzy Hash: 32615DB5900248AFDB12DFA8CC81EEE77F8EB09710F10415AFA15AB291D774AE45DF50

Function 00332C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00332C94

Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0

_free.LIBCMT ref: 00332CA0
_free.LIBCMT ref: 00332CAB
_free.LIBCMT ref: 00332CB6
_free.LIBCMT ref: 00332CC1
_free.LIBCMT ref: 00332CCC
_free.LIBCMT ref: 00332CD7
_free.LIBCMT ref: 00332CE2
_free.LIBCMT ref: 00332CED
_free.LIBCMT ref: 00332CFB

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6b3128988df61f6254982760439f8542acfd5a32fa21f7d15356567385434b2c
Instruction ID: df96533031c4c1f8cbeb4518ea8636119906fbe73bf74f543e6d7ca1efd51e9e
Opcode Fuzzy Hash: 6b3128988df61f6254982760439f8542acfd5a32fa21f7d15356567385434b2c
Instruction Fuzzy Hash: C911A476100118AFCB03EF54E882DDE7BA5FF06350F4144A5FA489F222DB31EE609B90

Function 00377DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00377FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00377FC1
GetFileAttributesW.KERNEL32(?), ref: 00377FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00378005
SetCurrentDirectoryW.KERNEL32(?), ref: 00378017
SetCurrentDirectoryW.KERNEL32(?), ref: 00378060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003780B0

Strings

*.*, xrefs: 00378066

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 51c28cc22d44182c0fd6ad9b2f9a6d14a6e6f6ca111f7191abe1679da520eb07
Instruction ID: 8defeebc4cae882eaa5ae4abd1ad748549d0a31902479ca85f39d24e634b68d8
Opcode Fuzzy Hash: 51c28cc22d44182c0fd6ad9b2f9a6d14a6e6f6ca111f7191abe1679da520eb07
Instruction Fuzzy Hash: 4481C2725182019BCB32DF14C854AAEB3E8BF89310F158C5EF889DB650EB79DD49CB52

Function 00305BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00305C7A

Part of subcall function 00305D0A: GetClientRect.USER32(?,?), ref: 00305D30
Part of subcall function 00305D0A: GetWindowRect.USER32(?,?), ref: 00305D71
Part of subcall function 00305D0A: ScreenToClient.USER32(?,?), ref: 00305D99

GetDC.USER32 ref: 003446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00344708
SelectObject.GDI32(00000000,00000000), ref: 00344716
SelectObject.GDI32(00000000,00000000), ref: 0034472B
ReleaseDC.USER32(?,00000000), ref: 00344733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003447C4

Strings

U, xrefs: 00344693

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 94358f2ef7a41bc8bc1eaa70e47b14f51156ac89d728a2c73a23f3920c95ee43
Instruction ID: 693ec78102444a986bd51cacc6605ecf9682b3a7785d5d1e491d5104bc21ffe5
Opcode Fuzzy Hash: 94358f2ef7a41bc8bc1eaa70e47b14f51156ac89d728a2c73a23f3920c95ee43
Instruction Fuzzy Hash: F271BD31401205DFDF23CF64C984AAA7BF9FF4A360F15427AE9655E1A6C731A882DF60

Function 0037359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003735E4

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

LoadStringW.USER32(003D2390,?,00000FFF,?), ref: 0037360A

Strings

Error: , xrefs: 003736EF
Line %d (File "%s"):, xrefs: 0037366B
^ ERROR, xrefs: 003736C9
"%s" (%d) : ==> %s:, xrefs: 00373742
"%s" (%d) : ==> %s:%s%s, xrefs: 00373724

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 551aaffcc95b9e51bac3c0e5ab4211865ac0fe31835515ad39bf11966afd6f48
Instruction ID: 322cb6b8e18fd3f8c78397a6f68ded711686e027a6c3e10f58771afd53c88db2
Opcode Fuzzy Hash: 551aaffcc95b9e51bac3c0e5ab4211865ac0fe31835515ad39bf11966afd6f48
Instruction Fuzzy Hash: AC516071901249BBDF17EBA0DC92EEEBB78AF04300F148166F105761A2DB315A99DFA1

Function 0037C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0037C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0037C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0037C2CA
GetLastError.KERNEL32 ref: 0037C322
SetEvent.KERNEL32(?), ref: 0037C336
InternetCloseHandle.WININET(00000000), ref: 0037C341

Strings

, xrefs: 0037C2BB

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 75012f665f5671c1adc70ed3a21b0ae74cc8654225a09b0d4067c4870bd2a68c
Instruction ID: a6022cdd7b3b94792446e65df77a7080646251d20874aaa6e57cc1a224ac5294
Opcode Fuzzy Hash: 75012f665f5671c1adc70ed3a21b0ae74cc8654225a09b0d4067c4870bd2a68c
Instruction Fuzzy Hash: D1319175510608AFEB339FA48C84AAB7BFCEB49740F14D51EF44A96201DB39DD049B60

Function 0036989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00343AAF,?,?,Bad directive syntax error,0039CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003698BC
LoadStringW.USER32(00000000,?,00343AAF,?), ref: 003698C3

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00369987

Strings

., xrefs: 0036996D
%s (%d) : ==> %s.: %s %s, xrefs: 003698F1
Line %d:, xrefs: 00369912
Line %d (File "%s"):, xrefs: 0036992D
Error: , xrefs: 00369955

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 7047508caeef757f59b1c1949be5d14c60c61c6dcd7c3bf1617bbbc2a3f54227
Instruction ID: d5018e8c4ff123aa0fb646858f51165199d8bb08872e7c65b946f56d4b7ae2e0
Opcode Fuzzy Hash: 7047508caeef757f59b1c1949be5d14c60c61c6dcd7c3bf1617bbbc2a3f54227
Instruction Fuzzy Hash: 88215C3191021AABCF17EF90CC56FEE7779BF18300F04846AF5156A0A2EB71AA58DB51

Function 0036209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0036214D

Strings

details, xrefs: 003620FB
SHELLDLL_DefView, xrefs: 003620CC
smallicons, xrefs: 00362115
list, xrefs: 0036212F
largeicons, xrefs: 003620E1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c9bb1fc8aeb2ae450d0ccfebe2270a65c46cd71daebd3462eebadd9d2d0716a0
Instruction ID: 9af3211869f11752d23c779bdc48491fb589db933f8b9f74bf2bf76e7b4c6b8e
Opcode Fuzzy Hash: c9bb1fc8aeb2ae450d0ccfebe2270a65c46cd71daebd3462eebadd9d2d0716a0
Instruction Fuzzy Hash: CE11067668CB16BAFA036720EC06DE77B9CDB16324F22401AFB04E90D5EE61AC525624

Function 0033CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0033CEB7
_free.LIBCMT ref: 0033CF22
_free.LIBCMT ref: 0033CF48
_free.LIBCMT ref: 0033CF71
_free.LIBCMT ref: 0033CFA9
_free.LIBCMT ref: 0033CFDA
_free.LIBCMT ref: 0033D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0033D09C
_free.LIBCMT ref: 0033D0B5

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b8c1e52b3d8ce872ca2c0874a7e3b4cd733113937fc22f1ab98d93f6d1c43a25
Instruction ID: f0a3d08ba14fc3f01ab8716383e282bf789240918d705b81003401d2182c20fc
Opcode Fuzzy Hash: b8c1e52b3d8ce872ca2c0874a7e3b4cd733113937fc22f1ab98d93f6d1c43a25
Instruction Fuzzy Hash: 0A613871905310AFDB27AFB4A8C1B6E7BAAEF05710F15416EF944BB291D7329D01C750

Function 003950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00395186
ShowWindow.USER32(?,00000000), ref: 003951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 003951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 003951D1

Part of subcall function 00396FBA: DeleteObject.GDI32(00000000), ref: 00396FE6

GetWindowLongW.USER32(?,000000F0), ref: 0039520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0039521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0039524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00395287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00395296

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 0270bf7a46cc025498a74767b142952bcb7084f8518c048c473884daefa696ba
Instruction ID: c5f984ae4cad2f492e6b17cbc241d451bc4cc72a6fa932a69e70bf99a6535fc2
Opcode Fuzzy Hash: 0270bf7a46cc025498a74767b142952bcb7084f8518c048c473884daefa696ba
Instruction Fuzzy Hash: 7451C030A51A08BFEF279F24CC4ABD97B69FF05321F258412F6559A2E0C375A9C0DB40

Function 00318B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00356890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00318874,00000000,00000000,00000000,000000FF,00000000), ref: 00356901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0035691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00318874,00000000,00000000,00000000,000000FF,00000000), ref: 0035692D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 289a80960a9034c97f6a172967534bc220394bd02d29c6db05ce361d0bc5346c
Instruction ID: 6f2d4db759c7973f7af9e08f6a39b9fd0fef985f2f06795a38aab01d3ce24b71
Opcode Fuzzy Hash: 289a80960a9034c97f6a172967534bc220394bd02d29c6db05ce361d0bc5346c
Instruction Fuzzy Hash: FF51AC70600209EFDB26CF25CC52FAA7BB9FF48350F108519F906972A0DB71E994DB50

Function 0037C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0037C182
GetLastError.KERNEL32 ref: 0037C195
SetEvent.KERNEL32(?), ref: 0037C1A9

Part of subcall function 0037C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0037C272
Part of subcall function 0037C253: GetLastError.KERNEL32 ref: 0037C322
Part of subcall function 0037C253: SetEvent.KERNEL32(?), ref: 0037C336
Part of subcall function 0037C253: InternetCloseHandle.WININET(00000000), ref: 0037C341

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 41b5fcc9594cfec24c78905862825bb1645d5920b1e85418544db7621257893e
Instruction ID: 1e166b076ffcdc2847c1c4b1753d3ac51a2f24a087e473caadcd098b7297e64e
Opcode Fuzzy Hash: 41b5fcc9594cfec24c78905862825bb1645d5920b1e85418544db7621257893e
Instruction Fuzzy Hash: 1631A171120605AFDF329FA5DC44A66BBFCFF18300F04A82EF95A86611C739E810DB60

Function 003625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00363A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00363A57
Part of subcall function 00363A3D: GetCurrentThreadId.KERNEL32 ref: 00363A5E
Part of subcall function 00363A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003625B3), ref: 00363A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00362601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00362605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0036260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00362623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00362627

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 4a48525477e77f9f0bbed7be137fcd00a8f9faf521abea347be0626afdce88f3
Instruction ID: 62ac54ea9d58e7dd5eed18682ad0b5b907098e34cc12818c0eca01b917bb2a25
Opcode Fuzzy Hash: 4a48525477e77f9f0bbed7be137fcd00a8f9faf521abea347be0626afdce88f3
Instruction Fuzzy Hash: B101D4303A0610BBFB216769DC8AF5A7F5DDF4EB52F105012F358AE0D5C9E22844DA6A

Function 00361803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00361449,?,?,00000000), ref: 0036180C
HeapAlloc.KERNEL32(00000000,?,00361449,?,?,00000000), ref: 00361813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00361449,?,?,00000000), ref: 00361828
GetCurrentProcess.KERNEL32(?,00000000,?,00361449,?,?,00000000), ref: 00361830
DuplicateHandle.KERNEL32(00000000,?,00361449,?,?,00000000), ref: 00361833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00361449,?,?,00000000), ref: 00361843
GetCurrentProcess.KERNEL32(00361449,00000000,?,00361449,?,?,00000000), ref: 0036184B
DuplicateHandle.KERNEL32(00000000,?,00361449,?,?,00000000), ref: 0036184E
CreateThread.KERNEL32(00000000,00000000,00361874,00000000,00000000,00000000), ref: 00361868

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 47ab6bae1bed7e186a48e081d746097e8ad5d7b3c9c868aae2bf8cf5f1491ff8
Instruction ID: e563ad1fbce61b2d57c504bdd80a1c3f4b73b7a74a5465acd95e260744ee9ad4
Opcode Fuzzy Hash: 47ab6bae1bed7e186a48e081d746097e8ad5d7b3c9c868aae2bf8cf5f1491ff8
Instruction Fuzzy Hash: 0C01BBB5250308BFE711ABA5DD4EF6B3BACEB89B11F409412FA05DB1A1CA759800CB34

Function 00333E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00333F0B
__alldvrm.LIBCMT ref: 0033410C
__alldvrm.LIBCMT ref: 0033412E

Strings

}}2, xrefs: 00333E8A
}}2, xrefs: 00333E96, 00333EF1, 00333F0A, 00334090
}}2, xrefs: 003340CD

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}2$}}2$}}2
API String ID: 1036877536-3768645003
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 55f3fd1cb6b204262a02af40876982ca36c23e550759f05147ccf3bd52fa2e51
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 30A13672E007869FDB27CF28C8D17AEFBE4EF62350F15416DE5859B281C238A981C750

Function 0038A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0036D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0036D501
Part of subcall function 0036D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0036D50F
Part of subcall function 0036D4DC: CloseHandle.KERNELBASE(00000000), ref: 0036D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038A16D
GetLastError.KERNEL32 ref: 0038A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0038A268
GetLastError.KERNEL32(00000000), ref: 0038A273
CloseHandle.KERNEL32(00000000), ref: 0038A2C4

Strings

SeDebugPrivilege, xrefs: 0038A18F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 02c9095df2a4ac148c12494b1b3785bd99a5a0380b73a3302ce9e56e2741a6c7
Instruction ID: 9ea4af31b824b0271ae9d7ea3350ccd00b64b2ca22c6e472cc779949bbb6283e
Opcode Fuzzy Hash: 02c9095df2a4ac148c12494b1b3785bd99a5a0380b73a3302ce9e56e2741a6c7
Instruction Fuzzy Hash: 0261AB702047029FE722EF18C494F16BBA5AF44318F19848DE4668FBA3C776EC45CB92

Function 00393886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00393925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0039393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00393954
_wcslen.LIBCMT ref: 00393999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003939F4

Strings

SysListView32, xrefs: 003938F7

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 60e73cf6ba86263d27a3eb0e36074a3e26ba2639cbf996779362bb246c7e8be0
Instruction ID: c9ec85cf8275e791b07eb4fe93f472fd6529f118b8975bd78bb240e55ffec600
Opcode Fuzzy Hash: 60e73cf6ba86263d27a3eb0e36074a3e26ba2639cbf996779362bb246c7e8be0
Instruction Fuzzy Hash: 77418571A00219ABEF22DF64CC45FEA7BA9FF08350F150526F958E7281D7719D94CB90

Function 0036BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0036BCFD
IsMenu.USER32(00000000), ref: 0036BD1D
CreatePopupMenu.USER32 ref: 0036BD53
GetMenuItemCount.USER32(015E5850), ref: 0036BDA4
InsertMenuItemW.USER32(015E5850,?,00000001,00000030), ref: 0036BDCC

Strings

2, xrefs: 0036BD37
0, xrefs: 0036BCA8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2397fe4d2313edb83e5a5dc2d5cd2f311d39c54163f155f0772ad0686a937585
Instruction ID: e70c46e8c6d8f6378a3866a7d3304cd6b6d52ff5966e49d1ff5afb7fea445a7f
Opcode Fuzzy Hash: 2397fe4d2313edb83e5a5dc2d5cd2f311d39c54163f155f0772ad0686a937585
Instruction Fuzzy Hash: 9A51AF70A002459BDF22CFA9D884BAEFBF8AF45314F14C21AE441DF299D7719981CF61

Function 00322D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00322D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00322D53
_ValidateLocalCookies.LIBCMT ref: 00322DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00322E0C
_ValidateLocalCookies.LIBCMT ref: 00322E61

Strings

csm, xrefs: 00322DF6
&H2, xrefs: 00322DFE, 00322E07, 00322E18

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H2$csm
API String ID: 1170836740-3052720543
Opcode ID: e133e1b8a99cc35434a4957b54c3f3ec7cab9aed90d35574ef783e1bd6a5f6d1
Instruction ID: 69b2824d4462084384f2d5d54761ae2da474ccbb20f6996a558e893723ada1bd
Opcode Fuzzy Hash: e133e1b8a99cc35434a4957b54c3f3ec7cab9aed90d35574ef783e1bd6a5f6d1
Instruction Fuzzy Hash: 0441C234E00228ABCF12DF68EC45AAFBBB5BF45324F158155E825AF352D735AA05CBD0

Function 0036C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0036C913

Strings

stop, xrefs: 0036C8E4
info, xrefs: 0036C8B4
warning, xrefs: 0036C8FC
question, xrefs: 0036C8CC
blank, xrefs: 0036C895

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5043a577de5c53d7566d82d48c8297e9a3bbc1845fcaf6b7ae03e3bc1ace6781
Instruction ID: 67ff7e259a117359c0049c53aea2e98919c4eb3cc1fa068445553a786540531c
Opcode Fuzzy Hash: 5043a577de5c53d7566d82d48c8297e9a3bbc1845fcaf6b7ae03e3bc1ace6781
Instruction Fuzzy Hash: 1C113A326A9306BAE7079B54AC83DFA37DCDF15354B20902FF544EA282E7B15E005364

Function 0036DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0036DE42
gethostname.WSOCK32(?,00000100), ref: 0036DE5C
gethostbyname.WSOCK32(?), ref: 0036DE69
inet_ntoa.WSOCK32(?), ref: 0036DEAB
_strcat.LIBCMT ref: 0036DEB9
WSACleanup.WSOCK32 ref: 0036DEDE

Strings

0.0.0.0, xrefs: 0036DE87

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 546716324336e1b08f28018f44ad011d0dce7e0855576884b9f050c66ed4347b
Instruction ID: 455c415780c5a93437f18dd651a67c94204d8322e65190c78a55df8988ef8fcd
Opcode Fuzzy Hash: 546716324336e1b08f28018f44ad011d0dce7e0855576884b9f050c66ed4347b
Instruction Fuzzy Hash: C011EC71A14114AFCB27AB60EC4AEDF776CDF11711F01416AF545DE095EFB28A818AA0

Function 00399F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2

GetSystemMetrics.USER32(0000000F), ref: 00399FC7
GetSystemMetrics.USER32(0000000F), ref: 00399FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0039A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0039A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0039A263
ShowWindow.USER32(00000003,00000000), ref: 0039A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0039A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0039A2CA

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: dfd3957c08f968841be137ae5b33a4b539e55f84e8c4e2ed97899547f8833bb7
Instruction ID: fa881c8ea6a09b170dd9f067bd0ca2607f923d057779cc9d4492e450ccf124ed
Opcode Fuzzy Hash: dfd3957c08f968841be137ae5b33a4b539e55f84e8c4e2ed97899547f8833bb7
Instruction Fuzzy Hash: 31B19A31600615EFDF16CF68C9857AE7BF2FF44701F09816AEC899B295D731A940CBA1

Function 0036ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0036ED2A
_wcslen.LIBCMT ref: 0036ED3B
_wcslen.LIBCMT ref: 0036ED79
_wcslen.LIBCMT ref: 0036EDAF
_wcslen.LIBCMT ref: 0036EDDF
_wcslen.LIBCMT ref: 0036EDEF
_wcslen.LIBCMT ref: 0036EE2B
_wcslen.LIBCMT ref: 0036EE5A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 9e78b3e2a438f9e147c566547e9a05091cb986e1d7926a4daca3da157c7f6e5c
Instruction ID: ff5c9f48feff151a7089bf2297276dd61ef7c08a799ceeca720b32a69c5df105
Opcode Fuzzy Hash: 9e78b3e2a438f9e147c566547e9a05091cb986e1d7926a4daca3da157c7f6e5c
Instruction Fuzzy Hash: AD416275C10228B5CB12EBF4988A9CFB7A8AF49710F508966E518E7122FB34E255C3E5

Function 0031F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0035682C,00000004,00000000,00000000), ref: 0031F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0035682C,00000004,00000000,00000000), ref: 0035F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0035682C,00000004,00000000,00000000), ref: 0035F454

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6b6bc9c835bbab0065b16fa9b736a43a1421ad57264940b230ee5b94aa920061
Instruction ID: c26825fc130f1670f6d013741c5447931bd63f91a5b27ab48032390d59cd75fd
Opcode Fuzzy Hash: 6b6bc9c835bbab0065b16fa9b736a43a1421ad57264940b230ee5b94aa920061
Instruction Fuzzy Hash: 4F414E31208640BFD73FBB29C888BAA7B99AF4E325F59443DE44756970C73298C5CB11

Function 00392D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00392D1B
GetDC.USER32(00000000), ref: 00392D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00392D2E
ReleaseDC.USER32(00000000,00000000), ref: 00392D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00392D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00392D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00395A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00392DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00392DE1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 2cab6ff87ef73144dd75ed8ce841ee1542656f2f9ae9de403a40d90f2df15913
Instruction ID: ca947b0d2818bd823989691ef8f2211809e173efabbd9bb206d219f877b17386
Opcode Fuzzy Hash: 2cab6ff87ef73144dd75ed8ce841ee1542656f2f9ae9de403a40d90f2df15913
Instruction Fuzzy Hash: 18316B72211614BFEF128F508C8AFEB3BADEB09715F084056FE089A291C6769C50CBA4

Function 00365622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00365637
_memcmp.LIBVCRUNTIME ref: 00365659
_memcmp.LIBVCRUNTIME ref: 00365671
_memcmp.LIBVCRUNTIME ref: 00365684
_memcmp.LIBVCRUNTIME ref: 0036569E
_memcmp.LIBVCRUNTIME ref: 003656B1
_memcmp.LIBVCRUNTIME ref: 003656C9
_memcmp.LIBVCRUNTIME ref: 003656E4

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a263ebefddc88f80d8c131a27807ddb0b7e3b34f884cf6260ec55d4fcb69d253
Instruction ID: 5853d59d9b1c435b7e4a7d4b940276f9db2522e4b9343e1f5991f77ef23d34f8
Opcode Fuzzy Hash: a263ebefddc88f80d8c131a27807ddb0b7e3b34f884cf6260ec55d4fcb69d253
Instruction Fuzzy Hash: C721A475641A197BD71B9A20EE82FFA335DAF20395F44C030FE04AEA85F720ED20C5A5

Function 00384FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00385007
NULL Pointer assignment, xrefs: 0038502E, 00385383

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ed95f002ead750217386f372e9b2d8539fb1633ca80fa402b8886a8d5e75213f
Instruction ID: 9d31e27a3acfe5b174e43730b0b72b52cfeaae58d936fd86f35914e256d2888b
Opcode Fuzzy Hash: ed95f002ead750217386f372e9b2d8539fb1633ca80fa402b8886a8d5e75213f
Instruction Fuzzy Hash: 5BD1D175A0070A9FDF12EFA8C885BAEB7B5BF48344F1584A9E915EB280E770DD41CB50

Function 00341522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 003415CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00341651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003416E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 003416FB

Part of subcall function 00333820: RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00341777
__freea.LIBCMT ref: 003417A2
__freea.LIBCMT ref: 003417AE

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c0e4f823134aebe5a1fbea1c01f4319d19bffe6bcbcf4552382723de7b52d546
Instruction ID: ab40c8a19a3b5fa74c4665d845b3b6dd0f01e27a6a935fd913fe48a9d9e51806
Opcode Fuzzy Hash: c0e4f823134aebe5a1fbea1c01f4319d19bffe6bcbcf4552382723de7b52d546
Instruction Fuzzy Hash: 3E91D472E10A169ADF228E74C881AEE7BF9EF49350F194659E805EF141D735EC84CB60

Function 00384523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00384648
VariantInit.OLEAUT32(?), ref: 00384749
VariantClear.OLEAUT32(?), ref: 00384753
VariantClear.OLEAUT32(?), ref: 003847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0038472C
Null Object assignment in FOR..IN loop, xrefs: 003845D8, 00384706, 003847BE

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: f2373e0a9e1cd9987942f5cba336b2f307e8aa3c1db6a75099936cbda3d0b279
Instruction ID: b527525b8b63334701cab00564c24bea81c581e54d5da96b035d12fb0d1f7871
Opcode Fuzzy Hash: f2373e0a9e1cd9987942f5cba336b2f307e8aa3c1db6a75099936cbda3d0b279
Instruction Fuzzy Hash: 12919171A00316AFDF26DFA5C844FAEBBB8EF46710F108599F515AB680E7709941CFA0

Function 00371187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0037125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00371284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0037135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00371430

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: f787b1854971a7ea7192ab1966235734b99e10b7dd7c52ff6927e54f8c290992
Instruction ID: c83db2d662a90f6ec325552c1bbfc73aeea11f38579ed6595e2c22bc5b50efd5
Opcode Fuzzy Hash: f787b1854971a7ea7192ab1966235734b99e10b7dd7c52ff6927e54f8c290992
Instruction Fuzzy Hash: 8A912976A002059FDB23DF99C884BBEB7B9FF45310F158429E904EB292D778E941CB50

Function 0031948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 002eb82d9ed3da45ff4bcc10e28d955b62d06649fd32737360d19f1b6d87c1e7
Instruction ID: 9d5372c2557cca68b85a12085c046ea2baea0603ba270eebbf9220cc8a327391
Opcode Fuzzy Hash: 002eb82d9ed3da45ff4bcc10e28d955b62d06649fd32737360d19f1b6d87c1e7
Instruction Fuzzy Hash: AE916A71D00219EFCB16CFA9CC84AEEBBB9FF49320F144446E915B7251D775AA81CBA0

Function 00383947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0038396B
CharUpperBuffW.USER32(?,?), ref: 00383A7A
_wcslen.LIBCMT ref: 00383A8A
VariantClear.OLEAUT32(?), ref: 00383C1F

Part of subcall function 00370CDF: VariantInit.OLEAUT32(00000000), ref: 00370D1F
Part of subcall function 00370CDF: VariantCopy.OLEAUT32(?,?), ref: 00370D28
Part of subcall function 00370CDF: VariantClear.OLEAUT32(?), ref: 00370D34

Strings

AUTOIT.ERROR, xrefs: 00383A80, 00383A85
Incorrect Parameter format, xrefs: 003839A6, 00383BA1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: c32aca09a5f68276f8b92129dbbb5e512597c490099a47845b4ef440c1c7d569
Instruction ID: 52dfa40a5a6726e45250993d4cdff1d233c1a741cbad68753cba5fe901373e7c
Opcode Fuzzy Hash: c32aca09a5f68276f8b92129dbbb5e512597c490099a47845b4ef440c1c7d569
Instruction Fuzzy Hash: 2F917C756083059FC706EF28C49096AB7E4FF89714F14886EF8899B351DB31EE45CB92

Function 00384BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0036000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?,?,0036035E), ref: 0036002B
Part of subcall function 0036000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360046
Part of subcall function 0036000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360054
Part of subcall function 0036000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?), ref: 00360064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00384C51
_wcslen.LIBCMT ref: 00384D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00384DCF
CoTaskMemFree.OLE32(?), ref: 00384DDA

Strings

NULL Pointer assignment, xrefs: 00384E23, 00384E52

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a57f4250e996ef944ea17eaa2aee0ff16e8b9f11f59438110d290bb7671dd403
Instruction ID: c8b8bd1d5ae45d51c5bc1e54e4890ac95f4f3ed126a17c686e045c1e36340a26
Opcode Fuzzy Hash: a57f4250e996ef944ea17eaa2aee0ff16e8b9f11f59438110d290bb7671dd403
Instruction Fuzzy Hash: 3B911C71D0131DAFDF16EFA4D891AEEB7B8BF04314F10816AE515AB291DB309A44CF60

Function 003920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00392183
GetMenuItemCount.USER32(00000000), ref: 003921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003921DD
_wcslen.LIBCMT ref: 00392213
GetMenuItemID.USER32(?,?), ref: 0039224D
GetSubMenu.USER32(?,?), ref: 0039225B

Part of subcall function 00363A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00363A57
Part of subcall function 00363A3D: GetCurrentThreadId.KERNEL32 ref: 00363A5E
Part of subcall function 00363A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003625B3), ref: 00363A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003922E3

Part of subcall function 0036E97B: Sleep.KERNEL32 ref: 0036E9F3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b338a0f1d43b16be36b0e6a3185cd62e07db153a41ab6c407e79ebcd9d5833cb
Instruction ID: a2270adf335e99161333680f0a0a86175a5605fdbc74b9409472561b949ef40a
Opcode Fuzzy Hash: b338a0f1d43b16be36b0e6a3185cd62e07db153a41ab6c407e79ebcd9d5833cb
Instruction Fuzzy Hash: D771AE75E00605AFCF16EFA9C881AAEB7F5EF48310F158859E856EB341DB34ED418B90

Function 00397E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(015E5738), ref: 00397F37
IsWindowEnabled.USER32(015E5738), ref: 00397F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0039801E
SendMessageW.USER32(015E5738,000000B0,?,?), ref: 00398051
IsDlgButtonChecked.USER32(?,?), ref: 00398089
GetWindowLongW.USER32(015E5738,000000EC), ref: 003980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003980C3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3e586d607061bb64f42e7871fb0dc469e6018e70342a668cc5a24c6f0d8b6dc1
Instruction ID: bbc806bc97793a6b1f1850b5406a881160d285904c78ca9174f903966760504c
Opcode Fuzzy Hash: 3e586d607061bb64f42e7871fb0dc469e6018e70342a668cc5a24c6f0d8b6dc1
Instruction Fuzzy Hash: 6F719234618204BFEF239F54C894FBABBB9EF4A300F15445AE946673A1CB31AC45DB10

Function 0036AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0036AEF9
GetKeyboardState.USER32(?), ref: 0036AF0E
SetKeyboardState.USER32(?), ref: 0036AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0036AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0036AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0036AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0036B020

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 601b25b5dcff76a0eef68f12b314fdad97c2beb01cfe71bca58fa1569d1b063b
Instruction ID: 6566915110b186ccff45405e796c461d0d140f6ad9ea70a8229ec571795cb1eb
Opcode Fuzzy Hash: 601b25b5dcff76a0eef68f12b314fdad97c2beb01cfe71bca58fa1569d1b063b
Instruction Fuzzy Hash: 8F51C3A0A147D53DFB3742348C45BBABEE96B06304F09C489E1D5998C7C3E9ACC4DB52

Function 0036ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0036AD19
GetKeyboardState.USER32(?), ref: 0036AD2E
SetKeyboardState.USER32(?), ref: 0036AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0036ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0036ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0036AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0036AE38

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f38d1ab6d42a36ba5b59151578f688754f72f0d3ffc1d1d5274f7a1380bdad31
Instruction ID: c2c2800a97af4e3f15769a5430b98215f2f0a8a971beffebe2d6d3af4972af44
Opcode Fuzzy Hash: f38d1ab6d42a36ba5b59151578f688754f72f0d3ffc1d1d5274f7a1380bdad31
Instruction Fuzzy Hash: DE5108A1604BD53DFB3383348C95B7ABEE85B45300F08C489E1D56A8C7C395EC94EB52

Function 0033542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00343CD6,?,?,?,?,?,?,?,?,00335BA3,?,?,00343CD6,?,?), ref: 00335470
__fassign.LIBCMT ref: 003354EB
__fassign.LIBCMT ref: 00335506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00343CD6,00000005,00000000,00000000), ref: 0033552C
WriteFile.KERNEL32(?,00343CD6,00000000,00335BA3,00000000,?,?,?,?,?,?,?,?,?,00335BA3,?), ref: 0033554B
WriteFile.KERNEL32(?,?,00000001,00335BA3,00000000,?,?,?,?,?,?,?,?,?,00335BA3,?), ref: 00335584

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: dfb3c40dd2722b6da97651316c0d579499bf986743b2e817880685371d2ea9be
Instruction ID: b564069b99bebef60b5ac04339064084a988a8dbf5e9bf3382372434871b706f
Opcode Fuzzy Hash: dfb3c40dd2722b6da97651316c0d579499bf986743b2e817880685371d2ea9be
Instruction Fuzzy Hash: CA51D771A006499FDB12CFA8D885BEEBBF9EF09300F14451AF556E7291D730EA41CB60

Function 003810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0038304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0038307A
Part of subcall function 0038304E: _wcslen.LIBCMT ref: 0038309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00381112
WSAGetLastError.WSOCK32 ref: 00381121
WSAGetLastError.WSOCK32 ref: 003811C9
closesocket.WSOCK32(00000000), ref: 003811F9

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: ce2d93211b0111773e3b169e6d5188e305e06ec26fdb06be259d88baa2a6184d
Instruction ID: 65ab8a7a78869c8a3404c5d279928aa8cb0927e0e1e6a6dc74403b257c3ba50c
Opcode Fuzzy Hash: ce2d93211b0111773e3b169e6d5188e305e06ec26fdb06be259d88baa2a6184d
Instruction Fuzzy Hash: 1E41F431600204AFDB12AF54C889BAAB7EDEF45764F148199F9059F291C771AE42CBA1

Function 0036CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0036DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0036CF22,?), ref: 0036DDFD

Part of subcall function 0036DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0036CF22,?), ref: 0036DE16

lstrcmpiW.KERNEL32(?,?), ref: 0036CF45
MoveFileW.KERNEL32(?,?), ref: 0036CF7F
_wcslen.LIBCMT ref: 0036D005
_wcslen.LIBCMT ref: 0036D01B
SHFileOperationW.SHELL32(?), ref: 0036D061

Strings

\*.*, xrefs: 0036CFF3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 4ed009527759e8960dc15dec52ebf9149a0c27ec7b13a16856ce9a3c0ddbb4f6
Instruction ID: 67c05502dfc9cf282379e37d913040407170f32e5d504f2c0aeceb8111f51e8f
Opcode Fuzzy Hash: 4ed009527759e8960dc15dec52ebf9149a0c27ec7b13a16856ce9a3c0ddbb4f6
Instruction Fuzzy Hash: 18415571D452189FDF13EBA4D981AEEB7BCAF08380F0040E6E545EF146EB74A688CB50

Function 00392DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00392E1C
GetWindowLongW.USER32(?,000000F0), ref: 00392E4F
GetWindowLongW.USER32(?,000000F0), ref: 00392E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00392EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00392EE0
GetWindowLongW.USER32(?,000000F0), ref: 00392EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00392F0B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ba064929aec236bf0603a72d53500e977077df7c9fcac46ad8a4bd59728744c0
Instruction ID: 436c2dcbc04d5836a11a7ef2ab5e51174910b69665539ea21a8338c320eea67f
Opcode Fuzzy Hash: ba064929aec236bf0603a72d53500e977077df7c9fcac46ad8a4bd59728744c0
Instruction Fuzzy Hash: 1D310335A05540AFDF22DF18ECD4F6677A8EB4A710F1A1165F9018B2B2CB71AC409B50

Function 00367726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00367769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036778F
SysAllocString.OLEAUT32(00000000), ref: 00367792
SysAllocString.OLEAUT32(?), ref: 003677B0
SysFreeString.OLEAUT32(?), ref: 003677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003677DE
SysAllocString.OLEAUT32(?), ref: 003677EC

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f1d6d192b584e5353b9fb38b7a7d2e9b7500af50d6d0b024f884dcde27dab123
Instruction ID: e1b841131dad0431fc4e433921079644c7cad81da3649e60f0ea916a6e5f7493
Opcode Fuzzy Hash: f1d6d192b584e5353b9fb38b7a7d2e9b7500af50d6d0b024f884dcde27dab123
Instruction Fuzzy Hash: 6621C176608219AFDF12EFA8CD88CBB77ACEB09368B448026FA14DB154D674DC418774

Function 003677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00367842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00367868
SysAllocString.OLEAUT32(00000000), ref: 0036786B
SysAllocString.OLEAUT32 ref: 0036788C
SysFreeString.OLEAUT32 ref: 00367895
StringFromGUID2.OLE32(?,?,00000028), ref: 003678AF
SysAllocString.OLEAUT32(?), ref: 003678BD

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cd9b63bc35ef5fb3da5de8148d40eb9399fbe496c4ece25f518d0eb4963a9ff0
Instruction ID: 551f4b57a1d058f8d629386a7b5c1dd0fbc010b1c092ebf3dd3503026f7a1c80
Opcode Fuzzy Hash: cd9b63bc35ef5fb3da5de8148d40eb9399fbe496c4ece25f518d0eb4963a9ff0
Instruction Fuzzy Hash: 4221A131608204AFDB12AFB8DC8DDAA77ECEB09764B50C125F915CB2A5D670DC81CB74

Function 003704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0037052E

Strings

nul, xrefs: 00370567

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 82714dbadcde1ba5ba4dd117fdc5abe8b7ec7a9083639799ff176d23253a9adc
Instruction ID: 360706d6bb37a9fa42e581090c5eb437b9b938a41614a020b77bed159ce67ac5
Opcode Fuzzy Hash: 82714dbadcde1ba5ba4dd117fdc5abe8b7ec7a9083639799ff176d23253a9adc
Instruction Fuzzy Hash: 5521DD74504305EBDF369F28CC44A9A7BA8AF46734F208A19F8E9E62E0D7749940CF20

Function 003705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00370601

Strings

nul, xrefs: 00370639

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9c3201fc3f263bf4d62ea01e280dabc812f7e29955eb2126e72be22c8fe45ddb
Instruction ID: 8cfdf87f26fe4a988de32208d5bf9e6164957f511a333b2355abf52e8db586b6
Opcode Fuzzy Hash: 9c3201fc3f263bf4d62ea01e280dabc812f7e29955eb2126e72be22c8fe45ddb
Instruction Fuzzy Hash: C121AE75500305DBDB369F69CC54A9A77E8EF85730F208A1AF8A5E72E0D7B59860CB20

Function 003940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0030600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0030604C
Part of subcall function 0030600E: GetStockObject.GDI32(00000011), ref: 00306060
Part of subcall function 0030600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0030606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00394112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0039411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0039412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00394139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00394145

Strings

Msctls_Progress32, xrefs: 003940E3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0131f41d19df79567ac929b254874198b6b0323c7b1e5b97c9c2c1f8ac35a22d
Instruction ID: 1ff9f687e5b247a0c2367ac9ab19e0f93e90db13094fad5ca8367b4e02abd088
Opcode Fuzzy Hash: 0131f41d19df79567ac929b254874198b6b0323c7b1e5b97c9c2c1f8ac35a22d
Instruction Fuzzy Hash: 241182B2150219BEEF129F64CC86EE77F5DEF09798F014111FA18A6190C6729C61DBA4

Function 0033D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0033D7A3: _free.LIBCMT ref: 0033D7CC

_free.LIBCMT ref: 0033D82D

Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0

_free.LIBCMT ref: 0033D838
_free.LIBCMT ref: 0033D843
_free.LIBCMT ref: 0033D897
_free.LIBCMT ref: 0033D8A2
_free.LIBCMT ref: 0033D8AD
_free.LIBCMT ref: 0033D8B8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1a230f995f2c5f033ebaa5bfd1343c98a77b0b8ed8e4375ff5fafafd137f537d
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: AB115E71940B14AAD623BFB0EC87FCB7BDCAF01700F400825B699AE292DB66B5158660

Function 0036DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0036DA74
LoadStringW.USER32(00000000), ref: 0036DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0036DA91
LoadStringW.USER32(00000000), ref: 0036DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0036DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0036DAB9

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 775d04e7ba44626d4a85b22ac59939073b46caeefc93c73cbf5c5a8f4404bbb1
Instruction ID: 28edc63fc753eb595f64d20fac3658be277a29236856b950c7c789347f7df5db
Opcode Fuzzy Hash: 775d04e7ba44626d4a85b22ac59939073b46caeefc93c73cbf5c5a8f4404bbb1
Instruction Fuzzy Hash: BE016DF69142087FEB12EBE4DD89EEB366CEB08301F405497B746E2041EA749E848F74

Function 0037096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(015DE3B0,015DE3B0), ref: 0037097B
EnterCriticalSection.KERNEL32(015DE390,00000000), ref: 0037098D
TerminateThread.KERNEL32(?,000001F6), ref: 0037099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 003709A9
CloseHandle.KERNEL32(?), ref: 003709B8
InterlockedExchange.KERNEL32(015DE3B0,000001F6), ref: 003709C8
LeaveCriticalSection.KERNEL32(015DE390), ref: 003709CF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: d4e51fa9e2d06f75c77a953b7b17316731cda37309eb08e922990bfbb19810c4
Instruction ID: 38d31e4187e33ee7ed3425bc4b3f729a7cb70b21f99efbdd6e30f7bfded01be3
Opcode Fuzzy Hash: d4e51fa9e2d06f75c77a953b7b17316731cda37309eb08e922990bfbb19810c4
Instruction Fuzzy Hash: 42F0CD31452912EBDB565BA4EE89AD67A39BF05702F802416F241508A1C776A465CFA0

Function 00305D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00305D30
GetWindowRect.USER32(?,?), ref: 00305D71
ScreenToClient.USER32(?,?), ref: 00305D99
GetClientRect.USER32(?,?), ref: 00305ED7
GetWindowRect.USER32(?,?), ref: 00305EF8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a0f7138a67c89e7682065d2c2cb5ac60d9a972d6d920e0140eaeeec7c8552910
Instruction ID: 27e556cf11125978c6c5d05941f5831cf02cc09f26187dc8cd9e5b2e00011565
Opcode Fuzzy Hash: a0f7138a67c89e7682065d2c2cb5ac60d9a972d6d920e0140eaeeec7c8552910
Instruction Fuzzy Hash: B0B16734A01A4ADBDB11CFA9C4807EAB7F5FF48310F14942AE8A9D7690DB34AA51DF50

Function 003301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003300D6
__allrem.LIBCMT ref: 003300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0033010B
__allrem.LIBCMT ref: 00330122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00330140

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: e4fc481187e596fa75f3edea16b63300dd9233dfb0523a374ca43c439d7b4f43
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 06813976A00B16AFE72A9F28DC91B6BB3F8AF41720F25423AF551DB681E770D9008750

Function 00381D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00383149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0038101C,00000000,?,?,00000000), ref: 00383195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00381DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00381DE1
WSAGetLastError.WSOCK32 ref: 00381DF2
inet_ntoa.WSOCK32(?), ref: 00381E8C
htons.WSOCK32(?,?,?,?,?), ref: 00381EDB
_strlen.LIBCMT ref: 00381F35

Part of subcall function 003639E8: _strlen.LIBCMT ref: 003639F2

Part of subcall function 00306D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0031CF58,?,?,?), ref: 00306DBA
Part of subcall function 00306D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0031CF58,?,?,?), ref: 00306DED

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 5a405b3a86fdd0226fe57817c5c05ae6fdef8cfcda1f0d69e873654771500dce
Instruction ID: 4d852e7aba5cb84ab6d1bfbd79c96cf0a3467fa66422b8d8db28dd7540a3370d
Opcode Fuzzy Hash: 5a405b3a86fdd0226fe57817c5c05ae6fdef8cfcda1f0d69e873654771500dce
Instruction Fuzzy Hash: 53A1A031104340AFC326EF24C895F2AB7A9AF84318F558A8CF5565F2E2CB71ED46CB91

Function 003361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003282D9,003282D9,?,?,?,0033644F,00000001,00000001,8BE85006), ref: 00336258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0033644F,00000001,00000001,8BE85006,?,?,?), ref: 003362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003363D8
__freea.LIBCMT ref: 003363E5

Part of subcall function 00333820: RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852

__freea.LIBCMT ref: 003363EE
__freea.LIBCMT ref: 00336413

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 39b438d09c79eb682a6b3e3e38ea2d7f0c899dd4de0207b6c8e43ba0bd0fb2bd
Instruction ID: 90cedf31cdbc15b4240eb7f9c51c69eff949bf95da3ca87b51b5ea0d333e6028
Opcode Fuzzy Hash: 39b438d09c79eb682a6b3e3e38ea2d7f0c899dd4de0207b6c8e43ba0bd0fb2bd
Instruction Fuzzy Hash: C251B072A00216BFEB278F64DCC2EAF77A9EB44760F168629FC05DA161DB35DC44C660

Function 0038BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 0038C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038B6AE,?,?), ref: 0038C9B5
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038C9F1
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA68
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0038BD25
RegCloseKey.ADVAPI32(00000000), ref: 0038BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0038BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0038BDF3
RegCloseKey.ADVAPI32(?), ref: 0038BDFF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a81fd300c80068ab695020d2344364986d53ea19716c14cc83dbf35aeae7f0c5
Instruction ID: b64d0f85515514c8d04d0e9dad101f323560c372177691aefd2fac3ae6347250
Opcode Fuzzy Hash: a81fd300c80068ab695020d2344364986d53ea19716c14cc83dbf35aeae7f0c5
Instruction Fuzzy Hash: 0A817C30208341AFD716EF24C891E2ABBE9BF84308F14859DF4554B2A2DB31ED45CB92

Function 0035F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0035F7B9
SysAllocString.OLEAUT32(00000001), ref: 0035F860
VariantCopy.OLEAUT32(0035FA64,00000000), ref: 0035F889
VariantClear.OLEAUT32(0035FA64), ref: 0035F8AD
VariantCopy.OLEAUT32(0035FA64,00000000), ref: 0035F8B1
VariantClear.OLEAUT32(?), ref: 0035F8BB

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: bfe171234647756d92d5363a43b5b8088d0b89b8732a6c94cd47ab026e364757
Instruction ID: 5b1e3af249bdef22c1bfb131574634bfd7a7a3888babd8c9a84dc75c48e3cedc
Opcode Fuzzy Hash: bfe171234647756d92d5363a43b5b8088d0b89b8732a6c94cd47ab026e364757
Instruction Fuzzy Hash: 8951D431601310AFCF26AB65D895F29B3A8EF45312F249467ED05DF2A6DB708C84CB96

Function 0037910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00307620: _wcslen.LIBCMT ref: 00307625

Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003794E5
_wcslen.LIBCMT ref: 00379506
_wcslen.LIBCMT ref: 0037952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00379585

Strings

X, xrefs: 00379412

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a59648f08b281e35365e38a28da887ae5fafc75f932687dd86fc0da210f39329
Instruction ID: 3729453d5b0bf735a5bb4e9971b1a2d3c347ba0c4bfeb41a0635eeae71870adf
Opcode Fuzzy Hash: a59648f08b281e35365e38a28da887ae5fafc75f932687dd86fc0da210f39329
Instruction Fuzzy Hash: 98E1B4356043108FD726DF24C891B6AB7E4FF85314F058A6EF8899B2A2DB35DD05CB92

Function 0031920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2

BeginPaint.USER32(?,?,?), ref: 00319241
GetWindowRect.USER32(?,?), ref: 003192A5
ScreenToClient.USER32(?,?), ref: 003192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003192D3
EndPaint.USER32(?,?,?,?,?), ref: 00319321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003571EA

Part of subcall function 00319339: BeginPath.GDI32(00000000), ref: 00319357

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3abec1d56a0f58272751eb7fadf32127bd831c413dc905c10595b6f507543ffa
Instruction ID: e7f84af49000c56db87c64dd66b0ebcc6e0cafc0d3ee667435f80314e4ff4c5e
Opcode Fuzzy Hash: 3abec1d56a0f58272751eb7fadf32127bd831c413dc905c10595b6f507543ffa
Instruction Fuzzy Hash: 2B419031105200AFD712DF64DCA5FBA7BBCEB49321F14066AF9A48B2B1C7319985DB61

Function 003707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0037080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00370847
EnterCriticalSection.KERNEL32(?), ref: 00370863
LeaveCriticalSection.KERNEL32(?), ref: 003708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00370921

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 79cdd9da2e2d893511df57054a7cf1bac75b7fe80c959e2770f37670bcf848a0
Instruction ID: 079692f7fdd64e7bd7635ea47d9e9c51467d62c4bbbf27f21afb7bf83b285766
Opcode Fuzzy Hash: 79cdd9da2e2d893511df57054a7cf1bac75b7fe80c959e2770f37670bcf848a0
Instruction Fuzzy Hash: B7416D71900205EFDF1AAF54DC85AAA77B8FF04300F1480A5ED049E297D735EE54DBA4

Function 003981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0035F3AB,00000000,?,?,00000000,?,0035682C,00000004,00000000,00000000), ref: 0039824C
EnableWindow.USER32(?,00000000), ref: 00398272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003982D1
ShowWindow.USER32(?,00000004), ref: 003982E5
EnableWindow.USER32(?,00000001), ref: 0039830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0039832F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d1e466946e05424af0cb4fe93d78230dfc943472380f5869e8618c275e43a3e4
Instruction ID: ca083766e5551881a1acf67c3eb3b4e27c345e96833b61ce63b91e8839dd96e8
Opcode Fuzzy Hash: d1e466946e05424af0cb4fe93d78230dfc943472380f5869e8618c275e43a3e4
Instruction Fuzzy Hash: B7419438601644AFDF13CF15D899BE47BF4BB8B714F19516AE5484F262CB32A841CB50

Function 00364C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00364C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00364CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00364CEA
_wcslen.LIBCMT ref: 00364D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00364D10
_wcsstr.LIBVCRUNTIME ref: 00364D1A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: f75dbd1c421f427768cab34d4d5a69101b34bd06a97fd92a0e750307beee6dd5
Instruction ID: bca4585e491344bce412f69880b8f9968a68c5e562e28ae7ec16cec49a7ff92b
Opcode Fuzzy Hash: f75dbd1c421f427768cab34d4d5a69101b34bd06a97fd92a0e750307beee6dd5
Instruction Fuzzy Hash: 1C21C672A04210BBEB175B39AC49E7BBBACDF49750F15C02AF805CE196EA61DC4196B0

Function 0037581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00303AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00303A97,?,?,00302E7F,?,?,?,00000000), ref: 00303AC2

_wcslen.LIBCMT ref: 0037587B
CoInitialize.OLE32(00000000), ref: 00375995
CoCreateInstance.OLE32(0039FCF8,00000000,00000001,0039FB68,?), ref: 003759AE
CoUninitialize.OLE32 ref: 003759CC

Strings

.lnk, xrefs: 00375876, 003758C1, 00375985

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 17abde895de808a943b837e0135687e235fae54f8e902bf5e3bf9a80fc4bcc99
Instruction ID: 139319dd2cc5c0778c2109e90c8f017858ca29e0395ca499f194aca810d5361c
Opcode Fuzzy Hash: 17abde895de808a943b837e0135687e235fae54f8e902bf5e3bf9a80fc4bcc99
Instruction Fuzzy Hash: 89D176706047019FC72ADF24C490A2ABBE5FF8A710F15885DF8899B3A1D775EC45CB92

Function 0036175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00360FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00360FCA
Part of subcall function 00360FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00360FD6
Part of subcall function 00360FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00360FE5
Part of subcall function 00360FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00360FEC
Part of subcall function 00360FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00361002

GetLengthSid.ADVAPI32(?,00000000,00361335), ref: 003617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003617BA
HeapAlloc.KERNEL32(00000000), ref: 003617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003617DA
GetProcessHeap.KERNEL32(00000000,00000000,00361335), ref: 003617EE
HeapFree.KERNEL32(00000000), ref: 003617F5

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 37e9bfaca8af96683b6af39333f4f8ef42456f6cea1869577d99c429774f678c
Instruction ID: 002652351be3d44ecd3ffeff0623cbf6c6eef50646f44946d9bc455384392a14
Opcode Fuzzy Hash: 37e9bfaca8af96683b6af39333f4f8ef42456f6cea1869577d99c429774f678c
Instruction Fuzzy Hash: 6411D031510205FFDB229FA8CC49BAF7BBDEF41355F188019F44197214D736AA40CB60

Function 003614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00361506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00361515
CloseHandle.KERNEL32(00000004), ref: 00361520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0036154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00361563

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5d133abc3a22076244cfe3f07d8e9857f213b67b2b57cee15cc90db85f91a10c
Instruction ID: c55cbc950b8b746ac4cfd90793ff9f4b021aa67f90515329b8d20aca34c8e0c5
Opcode Fuzzy Hash: 5d133abc3a22076244cfe3f07d8e9857f213b67b2b57cee15cc90db85f91a10c
Instruction Fuzzy Hash: 7C115972501209AFDF129FA8EE49BDE7BADEF48744F098015FA05A2160C376CE60DB60

Function 00323382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00323379,00322FE5), ref: 00323390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0032339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003233B7
SetLastError.KERNEL32(00000000,?,00323379,00322FE5), ref: 00323409

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 40eabdee57a89a0327d88d17d9ff9cb0f193a7e3349b8c1082b9f91725edd9b5
Instruction ID: 6fcea96650d91c5aa6df2f541919886e32c2369e32958264c15107527485f813
Opcode Fuzzy Hash: 40eabdee57a89a0327d88d17d9ff9cb0f193a7e3349b8c1082b9f91725edd9b5
Instruction Fuzzy Hash: 81014737319331BEEA2737757CC5A672A9CEB05779B20022AF510C91F0EF2AAE035644

Function 00332D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00335686,00343CD6,?,00000000,?,00335B6A,?,?,?,?,?,0032E6D1,?,003C8A48), ref: 00332D78
_free.LIBCMT ref: 00332DAB
_free.LIBCMT ref: 00332DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0032E6D1,?,003C8A48,00000010,00304F4A,?,?,00000000,00343CD6), ref: 00332DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0032E6D1,?,003C8A48,00000010,00304F4A,?,?,00000000,00343CD6), ref: 00332DEC
_abort.LIBCMT ref: 00332DF2

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: dfead653700000f86da73f22154236ca6717a70f848b61c7ea2c45035ef242d5
Instruction ID: ec24b4a27d21f92f7136c2570cc16f41aad9b014460b59df7e243de6adafa536
Opcode Fuzzy Hash: dfead653700000f86da73f22154236ca6717a70f848b61c7ea2c45035ef242d5
Instruction Fuzzy Hash: 0FF0F636545A106BC6233739BCCAF5F265DAFC27A1F264419F838DA1E2EF3998025260

Function 00398A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00319639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00319693
Part of subcall function 00319639: SelectObject.GDI32(?,00000000), ref: 003196A2
Part of subcall function 00319639: BeginPath.GDI32(?), ref: 003196B9
Part of subcall function 00319639: SelectObject.GDI32(?,00000000), ref: 003196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00398A4E
LineTo.GDI32(?,00000003,00000000), ref: 00398A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00398A70
LineTo.GDI32(?,00000000,00000003), ref: 00398A80
EndPath.GDI32(?), ref: 00398A90
StrokePath.GDI32(?), ref: 00398AA0

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 58ad557d3b8ec1e101c81177c65b579e53e73f8e30c76ba35bea2e76aa498110
Instruction ID: d477817803239df58424b196ac1a93de3ebf47c20d2efa287139efb0224c4252
Opcode Fuzzy Hash: 58ad557d3b8ec1e101c81177c65b579e53e73f8e30c76ba35bea2e76aa498110
Instruction Fuzzy Hash: 8F11C976040149FFEF129F94EC88EEA7F6DEB08354F048012FA199A1A1C7729D55DBA0

Function 003651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00365218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00365229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00365230
ReleaseDC.USER32(00000000,00000000), ref: 00365238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0036524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00365261

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 4baaec89c21f381a709ad493769a1ebc4250e27a54b2baee9e1e19048ef35edc
Instruction ID: 9288b83c3cf39c5e264178906d230e88f9e0a6a1bd4ca3cb16014c12d1a7d870
Opcode Fuzzy Hash: 4baaec89c21f381a709ad493769a1ebc4250e27a54b2baee9e1e19048ef35edc
Instruction Fuzzy Hash: 5F018F75A01708BBEB119BA5DC49E4EBFB8EB48351F044066FA04AB280D6719800CBA0

Function 00301BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00301BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00301BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00301C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00301C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00301C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00301C22

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 20ebf93f0edd43f84704fcee88e72a12dd16710b0854bad1a06c0eb6fcd62d29
Instruction ID: de6b342ace89356609cd7eb4660f352acab50b705551c950e2fca53d8d9ba693
Opcode Fuzzy Hash: 20ebf93f0edd43f84704fcee88e72a12dd16710b0854bad1a06c0eb6fcd62d29
Instruction Fuzzy Hash: B00167B0902B5ABDE3008F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5AC64CBE5

Function 0036EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0036EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0036EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0036EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0036EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0036EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0036EB75

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 203ec7f9313137f7deb8372ad24b5da5f96df058f1aa89b6e238d7b99e2d9ca8
Instruction ID: eb0cfa2bb44d8dba305bc2bf73923d1e5a7c18330a074d99571f997a1fa723e5
Opcode Fuzzy Hash: 203ec7f9313137f7deb8372ad24b5da5f96df058f1aa89b6e238d7b99e2d9ca8
Instruction Fuzzy Hash: 6FF0BE72250118BBE7225B629C0EEEF7E7CEFCAB11F00115AF601D2090D7A21E01C6B8

Function 00357439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00357452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00357469
GetWindowDC.USER32(?), ref: 00357475
GetPixel.GDI32(00000000,?,?), ref: 00357484
ReleaseDC.USER32(?,00000000), ref: 00357496
GetSysColor.USER32(00000005), ref: 003574B0

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 80b0e67910098c2092270c3c8c38d5ef8c8cb6d3cb2b7d65abb12cdc3d0697a1
Instruction ID: b8116aee1210b9423e9ad066ee7406f3466d82263d9ad723da433a3ce300a9a2
Opcode Fuzzy Hash: 80b0e67910098c2092270c3c8c38d5ef8c8cb6d3cb2b7d65abb12cdc3d0697a1
Instruction Fuzzy Hash: 67018B31410205EFDB125FA5EC08BEA7BB9FB04312F551062FD16A20B0CB321E41EB10

Function 00361874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0036187F
UnloadUserProfile.USERENV(?,?), ref: 0036188B
CloseHandle.KERNEL32(?), ref: 00361894
CloseHandle.KERNEL32(?), ref: 0036189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003618A5
HeapFree.KERNEL32(00000000), ref: 003618AC

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 701a2045a2524d4dc3071942e9cf483a47c460e7cc400ffbf912b7b8b6e6caaa
Instruction ID: 8565e5ad3d6cdbc3188b0894951696f73dc66e5930760a5b112302eb20ebbaa8
Opcode Fuzzy Hash: 701a2045a2524d4dc3071942e9cf483a47c460e7cc400ffbf912b7b8b6e6caaa
Instruction Fuzzy Hash: 46E0C236014101BBDA026BA5EE0C90ABB2DFB49B22B109222F22581070CB339420DB64

Function 0030BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0030BEB3

Strings

D%=, xrefs: 0030BCA2
D%=D%=, xrefs: 0030BCA5
D%=, xrefs: 0030BDED, 0030BD91, 0030BD1B
D%=, xrefs: 0030BE9A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%=$D%=$D%=$D%=D%=
API String ID: 1385522511-2666785572
Opcode ID: 68aef81d6fedb8d0c56ff11bdbd20ee05c2c332ccdd801356c81e5ec63e6eb36
Instruction ID: 32ca8fe0aa32294e773165189976463882eb4ff70735c43d1ac000518ab6914a
Opcode Fuzzy Hash: 68aef81d6fedb8d0c56ff11bdbd20ee05c2c332ccdd801356c81e5ec63e6eb36
Instruction Fuzzy Hash: 66916B75A0120ACFCB19CF59D0A0AAAF7F6FF59310F25816AD941AB390D731ED81CB90

Function 00387B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00320242: EnterCriticalSection.KERNEL32(003D070C,003D1884,?,?,0031198B,003D2518,?,?,?,003012F9,00000000), ref: 0032024D
Part of subcall function 00320242: LeaveCriticalSection.KERNEL32(003D070C,?,0031198B,003D2518,?,?,?,003012F9,00000000), ref: 0032028A

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 003200A3: __onexit.LIBCMT ref: 003200A9

__Init_thread_footer.LIBCMT ref: 00387BFB

Part of subcall function 003201F8: EnterCriticalSection.KERNEL32(003D070C,?,?,00318747,003D2514), ref: 00320202
Part of subcall function 003201F8: LeaveCriticalSection.KERNEL32(003D070C,?,00318747,003D2514), ref: 00320235

Strings

5, xrefs: 00387C78
Variable must be of type 'Object'., xrefs: 00387C3A
+T5, xrefs: 00387E2E
G, xrefs: 00387C7F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T5$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1988379522
Opcode ID: 517d56cc0e15744674844c8ab168cc831d8efad760cf54a58062e6b2ffe9f74b
Instruction ID: b4a8b0c75e7cdaa13f668147a3dab8d6b8d3d7632f01a324b40b1cc9965ad6ee
Opcode Fuzzy Hash: 517d56cc0e15744674844c8ab168cc831d8efad760cf54a58062e6b2ffe9f74b
Instruction Fuzzy Hash: 5C916974A04309EFCB16EF54D8919ADB7B6FF49300F248099F806AB292DB71EE45CB51

Function 0036C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00307620: _wcslen.LIBCMT ref: 00307625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0036C6EE
_wcslen.LIBCMT ref: 0036C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0036C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0036C7CA

Strings

0, xrefs: 0036C6AF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f25bf7b552ecdad3c98a45f542e4cf39cbcb5a060c337311ff99bb621fdd8114
Instruction ID: 7af5cdea81c0aaf29f45c22f180bdfc8f08e3b3eb30e42354592c2f7eee82e5d
Opcode Fuzzy Hash: f25bf7b552ecdad3c98a45f542e4cf39cbcb5a060c337311ff99bb621fdd8114
Instruction Fuzzy Hash: AF51F0716243009FC7179F28D894A7B77E8AF49310F04AA2AF9E5D7195DB70D804CB96

Function 0038AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0038AEA3

Part of subcall function 00307620: _wcslen.LIBCMT ref: 00307625

GetProcessId.KERNEL32(00000000), ref: 0038AF38
CloseHandle.KERNEL32(00000000), ref: 0038AF67

Strings

<, xrefs: 0038AE6B
@, xrefs: 0038AE72

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5d28cabd7d419ea182ca8d3432a4a5d01e075b917269250fb059cb5f516510d0
Instruction ID: a9ae9f90fce6a91523102a4df1407b823ccbea1b4182eb1ea471d74122779ae9
Opcode Fuzzy Hash: 5d28cabd7d419ea182ca8d3432a4a5d01e075b917269250fb059cb5f516510d0
Instruction Fuzzy Hash: EE717970A00619DFDB16EF54C894A9EBBF0BF08310F05849AE816AF392CB35ED45CB91

Function 0036719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00367206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0036723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0036724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003672CF

Strings

DllGetClassObject, xrefs: 00367242

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f7ef04d47b18c83126a6bdea0e4a4f98c2dcb5e6e36990bcdbe2ca5475176b04
Instruction ID: 65b166b90fabb71d5d9ff3086f96d4fa3ae4e567d62a4274f393663350c9d3ec
Opcode Fuzzy Hash: f7ef04d47b18c83126a6bdea0e4a4f98c2dcb5e6e36990bcdbe2ca5475176b04
Instruction Fuzzy Hash: 18418D71A04204AFDB16CF54C895A9A7BB9EF44318F5584A9FD059F20ED7B1D940CBA0

Function 00393D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00393E35
IsMenu.USER32(?), ref: 00393E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00393E92
DrawMenuBar.USER32 ref: 00393EA5

Strings

0, xrefs: 00393D89

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 103e2ea5ff826e04b346a0b5ec39bfa0a01b69bb02b1b7707e4a963cccc7a254
Instruction ID: 173e03e569015e6e99857960906df3cddd61b9e658fd729216f82e8e0717578b
Opcode Fuzzy Hash: 103e2ea5ff826e04b346a0b5ec39bfa0a01b69bb02b1b7707e4a963cccc7a254
Instruction Fuzzy Hash: 884138B6A11209AFDF12DF54D884AAABBB9FF49354F054129E905AB250D730AE44CF90

Function 00361DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 00363CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00363CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00361E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00361E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00361EA9

Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A

Strings

ListBox, xrefs: 00361E25
ComboBox, xrefs: 00361DF0

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 412b9c8c96fccb409010ebcec5ebc12f29fc03b1a42d387165545f1f54876f3f
Instruction ID: 1fd51280d8923781c2ac9a84d4c992a3fcd2782b38122b2840f43911f97e10ec
Opcode Fuzzy Hash: 412b9c8c96fccb409010ebcec5ebc12f29fc03b1a42d387165545f1f54876f3f
Instruction Fuzzy Hash: 70214772A00104BFDB16AB60CC56DFFBBBCDF45350F18811AF821AB1E5DB368D099620

Function 0038C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0038C9F1
_wcslen.LIBCMT ref: 0038CA68
_wcslen.LIBCMT ref: 0038CA9E
_wcslen.LIBCMT ref: 0038CAF9
_wcslen.LIBCMT ref: 0038CB2F
_wcslen.LIBCMT ref: 0038CB7F

Strings

HKLM, xrefs: 0038CA98, 0038CA9D
HKEY_LOCAL_MACHINE, xrefs: 0038CA62, 0038CA67

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 53f60a182fbb159bd993918a2ea1b51c5c92e19ce0b7552ad42b29bfbacb2df4
Instruction ID: 25e404b31c417936e429da84b9a5aaba18a2a56db7d285a0e64314f76fb08f74
Opcode Fuzzy Hash: 53f60a182fbb159bd993918a2ea1b51c5c92e19ce0b7552ad42b29bfbacb2df4
Instruction Fuzzy Hash: 2D310933A202694BCB2BFF6C98505BF33A15BA1750B07509AEC51AB345EA75CD4097B0

Function 00392F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00392F8D
LoadLibraryW.KERNEL32(?), ref: 00392F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00392FA9
DestroyWindow.USER32(?), ref: 00392FB1

Strings

SysAnimate32, xrefs: 00392F68

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 04d80ed92464a698b3added1c922753bb7fe5a361a61bec71a6917fc8ca1ebe4
Instruction ID: 6d07cc64c35c77fb5da078c53149257aa068ebbf4055bd6013d9b4452b497692
Opcode Fuzzy Hash: 04d80ed92464a698b3added1c922753bb7fe5a361a61bec71a6917fc8ca1ebe4
Instruction Fuzzy Hash: 0821FD72204A05BBEF128F64DC80FBB77BDEB59364F110619F952D6090C331DC519760

Function 00324D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00324D1E,003328E9,?,00324CBE,003328E9,003C88B8,0000000C,00324E15,003328E9,00000002), ref: 00324D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00324DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00324D1E,003328E9,?,00324CBE,003328E9,003C88B8,0000000C,00324E15,003328E9,00000002,00000000), ref: 00324DC3

Strings

mscoree.dll, xrefs: 00324D86
CorExitProcess, xrefs: 00324D98

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 22604253c199c190b67969a946f30f49b17a9b092b190181ab12ddc191752986
Instruction ID: 2ce7a92ccf17e3c1de5bcf26499dd66804d0bf1d564fdca907df65d1f5a39648
Opcode Fuzzy Hash: 22604253c199c190b67969a946f30f49b17a9b092b190181ab12ddc191752986
Instruction Fuzzy Hash: A0F06234A50218BBDB179F90EC49BEDBFB9EF44751F4101A5F80AA2261CB329D40CB94

Function 0035D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0035D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0035D3BF
FreeLibrary.KERNEL32(00000000), ref: 0035D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0035D3B9
X64, xrefs: 0035D2A8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 0c6eb9192d7b6fe707e4de3b2d6ab7586a3cc7612402d64be1ed2988005fc6a1
Instruction ID: 3bab1e451e1edab37a6ece71daa0f1b545a3edfb76476b45024c0846605236e4
Opcode Fuzzy Hash: 0c6eb9192d7b6fe707e4de3b2d6ab7586a3cc7612402d64be1ed2988005fc6a1
Instruction Fuzzy Hash: D4F02039806A20DBDB3357208C48DA97228AF00703F52996AEC03E2534DB30CD88CA82

Function 00304E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00304EDD,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00304EAE
FreeLibrary.KERNEL32(00000000,?,?,00304EDD,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00304EA8
kernel32.dll, xrefs: 00304E94

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1e39a12ded61c9098c51fa808649e4eb93b7976ecc98c96672dad38aefd659d2
Instruction ID: 9ed52ae4693e45b9fca6ffd672d92ace62e0c2825bc6f36d57a20ffc5e4e51c2
Opcode Fuzzy Hash: 1e39a12ded61c9098c51fa808649e4eb93b7976ecc98c96672dad38aefd659d2
Instruction Fuzzy Hash: 74E08635A135225BD2231725BC28B9BA558AF81B62F064116FD05D2150DB60CE0281E4

Function 00304E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00343CDE,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00304E74
FreeLibrary.KERNEL32(00000000,?,?,00343CDE,?,003D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00304E87

Strings

kernel32.dll, xrefs: 00304E5B
Wow64RevertWow64FsRedirection, xrefs: 00304E6E

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 14f6baeee700b54e06d7b543f24a40af8131087b5d66d18172334fb125d9fb07
Instruction ID: 853ed282dc256f0331fca2faab0d023f7b6271856025dac05709d607b7ebda36
Opcode Fuzzy Hash: 14f6baeee700b54e06d7b543f24a40af8131087b5d66d18172334fb125d9fb07
Instruction Fuzzy Hash: E9D01235513621579A231B25BC28ECB6A1CAF85B51746551AFA09E2194CF62CE01C5D4

Function 00372947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00372C05
DeleteFileW.KERNEL32(?), ref: 00372C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00372C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00372CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00372CC0

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: fc823cdcd281d2f33ad446b50bbad4a469e6bf8df958b7380218b9026ae5bb80
Instruction ID: 711d07ebcb857d36461641aa9145ff58bf035d12545e3b6cbd33c51f92668dd5
Opcode Fuzzy Hash: fc823cdcd281d2f33ad446b50bbad4a469e6bf8df958b7380218b9026ae5bb80
Instruction Fuzzy Hash: 1CB16F71901129ABDF26DFA4CC85EDFB7BDEF49350F1080AAF509EA141EB349A448F61

Function 0038A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0038A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0038A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0038A468
CloseHandle.KERNEL32(?), ref: 0038A63D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 5494cce41a5c814490f9a6cb18d21828a311f38d72d20edf1d275350e48b8e3b
Instruction ID: 76567e245d6e8b8ec6a23296e11f06b656aedf81fcfdf99dd168340dad0386a7
Opcode Fuzzy Hash: 5494cce41a5c814490f9a6cb18d21828a311f38d72d20edf1d275350e48b8e3b
Instruction Fuzzy Hash: 37A1D4716047019FE725EF28C892F2AB7E5AF84714F14885DF5999B3D2DBB0EC408B92

Function 0036E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0036DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0036CF22,?), ref: 0036DDFD

Part of subcall function 0036DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0036CF22,?), ref: 0036DE16

Part of subcall function 0036E199: GetFileAttributesW.KERNEL32(?,0036CF95), ref: 0036E19A

lstrcmpiW.KERNEL32(?,?), ref: 0036E473
MoveFileW.KERNEL32(?,?), ref: 0036E4AC
_wcslen.LIBCMT ref: 0036E5EB
_wcslen.LIBCMT ref: 0036E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0036E650

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f89fdeaa6699fd9167f8940187686ecd33cc5649ccdd000dc03f93c506bed99c
Instruction ID: 63945ffa7a30176b9a264152ca2827a4b03ba121d408b463522f3c98c7ba09e9
Opcode Fuzzy Hash: f89fdeaa6699fd9167f8940187686ecd33cc5649ccdd000dc03f93c506bed99c
Instruction Fuzzy Hash: DB5185B24083845BC726EBA0DC919DF73ECAF85340F00891EF689D7195EF74A68C875A

Function 0038B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 0038C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038B6AE,?,?), ref: 0038C9B5
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038C9F1
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA68
Part of subcall function 0038C998: _wcslen.LIBCMT ref: 0038CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0038BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0038BB63
RegCloseKey.ADVAPI32(?,?), ref: 0038BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0038BBB3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: aae65e23266987451d3b8204fbcf35da054b24c4cc87d7687561d16f02b53dca
Instruction ID: f9ce27b0c68c4bb58ea8638f038776e9b16e06bc7e2fdd47b0f7b000a601fd89
Opcode Fuzzy Hash: aae65e23266987451d3b8204fbcf35da054b24c4cc87d7687561d16f02b53dca
Instruction Fuzzy Hash: 4B619131209342AFD716EF14C490E2ABBE9FF84308F55859DF4994B2A2DB31ED45CB92

Function 00368BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00368BCD
VariantClear.OLEAUT32 ref: 00368C3E
VariantClear.OLEAUT32 ref: 00368C9D
VariantClear.OLEAUT32(?), ref: 00368D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00368D3B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 625c35dc4682a2e18d50bd594e72af654658074e4a0518d6593224b028808092
Instruction ID: 7719785b85951fe6f14556e69b517031ac28c4464a8f2c75f2f1bf94caeb2164
Opcode Fuzzy Hash: 625c35dc4682a2e18d50bd594e72af654658074e4a0518d6593224b028808092
Instruction Fuzzy Hash: AF5169B5A00219EFCB15CF68C884AAAB7F8FF8D314F158559E905DB354E730E911CBA0

Function 00378AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00378BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00378BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00378C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00378C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00378C5F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 80fdd0c6da0d11faf7d7b6e2e7c748219fd63833c2ff70934f2dcab5b9cab0d2
Instruction ID: f031b8d0eb0f2428ed7db351cc06196fd297f78cd8fdcd5828608ba52be5260b
Opcode Fuzzy Hash: 80fdd0c6da0d11faf7d7b6e2e7c748219fd63833c2ff70934f2dcab5b9cab0d2
Instruction Fuzzy Hash: 8D517B34A002159FCB16DF64C894AAABBF5FF49314F08C458E849AB3A2CB35ED41CB90

Function 00388EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00388F40
GetProcAddress.KERNEL32(00000000,?), ref: 00388FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00388FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00389032
FreeLibrary.KERNEL32(00000000), ref: 00389052

Part of subcall function 0031F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00371043,?,753CE610), ref: 0031F6E6
Part of subcall function 0031F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0035FA64,00000000,00000000,?,?,00371043,?,753CE610,?,0035FA64), ref: 0031F70D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 80e1c39f852f0bffe04174b3690f5dee57ac763ffb63e92dd41f7e521e9eac91
Instruction ID: 48b345b044d32a535b4dd0c9b59e8a4cb7e5e1cd6c49397bce050c05954635d4
Opcode Fuzzy Hash: 80e1c39f852f0bffe04174b3690f5dee57ac763ffb63e92dd41f7e521e9eac91
Instruction Fuzzy Hash: 08515A74601205DFCB12EF58C4949ADBBF1FF49314B4980A9E90AAF362DB31ED85CB90

Function 00396B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00396C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00396C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00396C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0037AB79,00000000,00000000), ref: 00396C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00396CC7

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: e9def57d6b29ccdada8aa958dbc7d7e693f7e83260a03e393c77f611815f0334
Instruction ID: e3ba327179b3dd290fd815e165cd516475ef26541a84fd76ec7569e9a58d0692
Opcode Fuzzy Hash: e9def57d6b29ccdada8aa958dbc7d7e693f7e83260a03e393c77f611815f0334
Instruction Fuzzy Hash: 1E41D735605104AFDF26CF68CC56FB97BA9EB09350F160229F899A72E0D371ED41CE90

Function 00332051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003320C3
_free.LIBCMT ref: 003320E3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 11872eb9e4e44bf6d2280c0065630830a020dd0f1b8aaaf3ac03a9787ce13d69
Instruction ID: fe3ac360da5f1eb330cffb46649903a9ca7180df5e50c294442f514f2c2f190a
Opcode Fuzzy Hash: 11872eb9e4e44bf6d2280c0065630830a020dd0f1b8aaaf3ac03a9787ce13d69
Instruction Fuzzy Hash: 23419032A00210AFCB26DF78C9C1A5AB7B5EF89714F1645A9E515EB351D631ED01CB90

Function 0031912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00319141
ScreenToClient.USER32(00000000,?), ref: 0031915E
GetAsyncKeyState.USER32(00000001), ref: 00319183
GetAsyncKeyState.USER32(00000002), ref: 0031919D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e634294f341a8bb3b25a9cc20a0aefc98ec4bb680a03b62ee2e909ecdbea2789
Instruction ID: 4ece6d1f812f78e19d35fe93ef970b7fdf3950779f8f1e3f5c664eb5b75229a7
Opcode Fuzzy Hash: e634294f341a8bb3b25a9cc20a0aefc98ec4bb680a03b62ee2e909ecdbea2789
Instruction Fuzzy Hash: F041627190851ABBDF1A9F64D858BEEB774FB09320F214226E825A72E0C7306D94CF51

Function 00373874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00373922
TranslateMessage.USER32(?), ref: 0037394B
DispatchMessageW.USER32(?), ref: 00373955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00373966

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 3a75239fcd476a95168cb4a5042327e1f2f2235d9950c082cff8cc834929ce5e
Instruction ID: 60f35fa73069d436567a79660a52470a82876319508993de0699ad3a43f9b1cf
Opcode Fuzzy Hash: 3a75239fcd476a95168cb4a5042327e1f2f2235d9950c082cff8cc834929ce5e
Instruction Fuzzy Hash: 8431EB70515341BFEB37CB74E848BB677ECEB07300F05855ED56A82590D3B99684EB11

Function 0037CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0037C21E,00000000), ref: 0037CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0037CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0037C21E,00000000), ref: 0037CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0037C21E,00000000), ref: 0037CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0037C21E,00000000), ref: 0037CFF2

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 29ae4afb51003e712ed313573f9282b9cb2c8f9daed6a15efcfa4005978205ca
Instruction ID: 9fa3ec7f78bc8a36f65b8d31f1869c339ebd260a4192ef04558f86583dbe372f
Opcode Fuzzy Hash: 29ae4afb51003e712ed313573f9282b9cb2c8f9daed6a15efcfa4005978205ca
Instruction Fuzzy Hash: C4317C71610205EFDB36DFA5D884AABBBFDEB04310B10942EF50AD2101DB34AE40DB60

Function 00361901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00361915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003619E2

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3276086adec8afe6aa860ecc9525a77e7355aa3e312d8c7726f50984087bb6db
Instruction ID: dfd628bbb010f19541967cfeca5b58b864899e3c9ae917fafd7230b7f4001c5e
Opcode Fuzzy Hash: 3276086adec8afe6aa860ecc9525a77e7355aa3e312d8c7726f50984087bb6db
Instruction Fuzzy Hash: 2131C271A00219EFCB01CFA8CD99ADE7BB5EB04315F148225F921A72D1C7709D44CB90

Function 00395706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00395745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0039579D
_wcslen.LIBCMT ref: 003957AF
_wcslen.LIBCMT ref: 003957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00395816

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 36047ba6ae8185d88bc0f415cf5d26561bb2717bbf7a2f75f4f5e3e00b8b5bcb
Instruction ID: 4495026ba1a1d093043d0a1714357bbd94d69105c7bf86ca519c3a8bac11face
Opcode Fuzzy Hash: 36047ba6ae8185d88bc0f415cf5d26561bb2717bbf7a2f75f4f5e3e00b8b5bcb
Instruction Fuzzy Hash: 0A218271904618AADF239FA1DC85AEEB7BCFF04724F108216F929EA180D7708AC5CF50

Function 00380930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00380951
GetForegroundWindow.USER32 ref: 00380968
GetDC.USER32(00000000), ref: 003809A4
GetPixel.GDI32(00000000,?,00000003), ref: 003809B0
ReleaseDC.USER32(00000000,00000003), ref: 003809E8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b7d0f475026306f8962e54736f52d5901c0fa1714bba6883e800480a760df6ea
Instruction ID: 9b766a3d5be95dca8fb95becdcfcae2c7babd7e7df72a9bd04e2c2d213d96d8f
Opcode Fuzzy Hash: b7d0f475026306f8962e54736f52d5901c0fa1714bba6883e800480a760df6ea
Instruction Fuzzy Hash: 22219036610204AFD715EF69CC94AAEBBF9EF49700F048069F85ADB762DB30AC44CB50

Function 0033CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0033CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0033CDE9

Part of subcall function 00333820: RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0033CE0F
_free.LIBCMT ref: 0033CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0033CE31

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 036c1ac2ef932366fa9b57e3aea672486808d17c883e9ef768c5dac8f6c126e5
Instruction ID: a057ea88b8da195396100c09e4697a9510524e11867390e6302db4c80fab92ad
Opcode Fuzzy Hash: 036c1ac2ef932366fa9b57e3aea672486808d17c883e9ef768c5dac8f6c126e5
Instruction Fuzzy Hash: 6A01FC726112157F732326766CCCD7B796DDEC6BA2B15112AFD05E7101DA618D0183B0

Function 00319639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00319693
SelectObject.GDI32(?,00000000), ref: 003196A2
BeginPath.GDI32(?), ref: 003196B9
SelectObject.GDI32(?,00000000), ref: 003196E2

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1471ecf3aa44b84058cd1fb1303c77fe2cfaf436dbaa0ba2bf7327df305ea191
Instruction ID: 7b2df3f6d357ddd24d96a4b7f424592213908bd9849e6df1351305b64c6978ff
Opcode Fuzzy Hash: 1471ecf3aa44b84058cd1fb1303c77fe2cfaf436dbaa0ba2bf7327df305ea191
Instruction Fuzzy Hash: EF215771812305EBDB139F64EC28BE93BACBB04366F110217F810A61B1D3719895CBE4

Function 00365711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00365726
_memcmp.LIBVCRUNTIME ref: 00365744
_memcmp.LIBVCRUNTIME ref: 00365757
_memcmp.LIBVCRUNTIME ref: 0036576F
_memcmp.LIBVCRUNTIME ref: 00365787

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fbc3317ed3754e9e2eaaacc5a112688ea04d2921a6f359147e2f9a6060100a45
Instruction ID: a60bf42dbf4ae4a022be5098cae3a616e690a9bccc2da421b597fca030fff330
Opcode Fuzzy Hash: fbc3317ed3754e9e2eaaacc5a112688ea04d2921a6f359147e2f9a6060100a45
Instruction Fuzzy Hash: B101B575641A19BFD70B9510AE82FFB735D9B313A4F008030FE04AE645F761ED2086E0

Function 00332DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0032F2DE,00333863,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6), ref: 00332DFD
_free.LIBCMT ref: 00332E32
_free.LIBCMT ref: 00332E59
SetLastError.KERNEL32(00000000,00301129), ref: 00332E66
SetLastError.KERNEL32(00000000,00301129), ref: 00332E6F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 472445ffec5152a25522e738b32820bdeea81553fea042362dde50902e18c655
Instruction ID: 153cdca951f4c9d3a91981c7a41d76d473ae12ee17e8af0fcb2e7936800b7014
Opcode Fuzzy Hash: 472445ffec5152a25522e738b32820bdeea81553fea042362dde50902e18c655
Instruction Fuzzy Hash: CE014C362456007BC6132779BCC7E2B265DAFC13B1F265429F425E62D2EF75CC015120

Function 0036000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?,?,0036035E), ref: 0036002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?), ref: 00360064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0035FF41,80070057,?,?), ref: 00360070

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c4a8799b54389c71c619124fc58d20af107cee1460e7bff67f18b2adc4f85ca2
Instruction ID: a479f9844bddb7f53c7679b43a4abf380ab8c41936494fccaf0dddd297717868
Opcode Fuzzy Hash: c4a8799b54389c71c619124fc58d20af107cee1460e7bff67f18b2adc4f85ca2
Instruction Fuzzy Hash: 9901F972620204BFDB124F68DC09BAF7AEDEF48392F108025F805D2214EBB2CD008BA0

Function 0036E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0036E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0036E9A5
Sleep.KERNEL32(00000000), ref: 0036E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0036E9B7
Sleep.KERNEL32 ref: 0036E9F3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e9c0ee2402e7061f32de649c5471daeac237b1cf8a4319429f85a1733ab97d31
Instruction ID: b81f3648a58d5b461cb01ae60e84547b8714976bb87f63f22dfc48c13e4da424
Opcode Fuzzy Hash: e9c0ee2402e7061f32de649c5471daeac237b1cf8a4319429f85a1733ab97d31
Instruction Fuzzy Hash: BB015735C1162DDBCF02AFE4D859AEEBBB8BF08700F014546E502B2248CB389558CBA5

Function 003610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00361114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 0036112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00360B9B,?,?,?), ref: 00361136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0036114D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9afa7203e0296fce2d6604761dad8e250cbc36908a6d37db79d488d230f5aef9
Instruction ID: b032370db4ace575ba655fb99153d0457f1142a89694540e8e94330026231a79
Opcode Fuzzy Hash: 9afa7203e0296fce2d6604761dad8e250cbc36908a6d37db79d488d230f5aef9
Instruction Fuzzy Hash: AF013175110205BFDB124FA5DC49E6A3F6EEF86360F554416FA45D7360DB32DC00DA60

Function 00360FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00360FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00360FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00360FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00360FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00361002

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4af6e348c339866689e728feb95a88abc442cd5a157c81d294b9ef5363157c2c
Instruction ID: c24b7396192b91de9326ed347030362b2ae7ea5de05cf9561ed86b49aa0fb5d0
Opcode Fuzzy Hash: 4af6e348c339866689e728feb95a88abc442cd5a157c81d294b9ef5363157c2c
Instruction Fuzzy Hash: C0F06D39210301EBDB225FA8DC8DF5A3BADEF89762F654416FA45C7261CA72DC408A70

Function 00361014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0036102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00361036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00361045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0036104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00361062

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 89914e51f69280f5b40f3c904b48667d1027687f062f43cfbe303f7bde259389
Instruction ID: 14e92a46cc6ce43afdb1a843554aba09171ac75177dfa533b068ed1ab517ef80
Opcode Fuzzy Hash: 89914e51f69280f5b40f3c904b48667d1027687f062f43cfbe303f7bde259389
Instruction Fuzzy Hash: E8F06D39210311EBDB235FA8EC49F5A3BADEF89761F254416FA45C7260CA72D8508AB0

Function 0037030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 00370324
CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 00370331
CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 0037033E
CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 0037034B
CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 00370358
CloseHandle.KERNEL32(?,?,?,?,0037017D,?,003732FC,?,00000001,00342592,?), ref: 00370365

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 741f25770bf5b87a8c5ece4cf5988395991f461210b210b9d094669c9c212ebe
Instruction ID: 2e8bf694b7aca310189c3deda147239645a7e493703ea4a12a5c770d64d8203a
Opcode Fuzzy Hash: 741f25770bf5b87a8c5ece4cf5988395991f461210b210b9d094669c9c212ebe
Instruction Fuzzy Hash: 5D019076800B15DFD736AF66D880416F7F9BE503153168A3FD19A52931C375A954CE80

Function 0033D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0033D752

Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0

_free.LIBCMT ref: 0033D764
_free.LIBCMT ref: 0033D776
_free.LIBCMT ref: 0033D788
_free.LIBCMT ref: 0033D79A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f38f9da13d5d4adbc92e83ccd99762beee9ef8b2fb4b7e991b9ef54be560f2b8
Instruction ID: 42bc3dbf3fc296fb2db6d1ec0c2370a09e7e556251bcbe8f8f80cf285c925ccb
Opcode Fuzzy Hash: f38f9da13d5d4adbc92e83ccd99762beee9ef8b2fb4b7e991b9ef54be560f2b8
Instruction Fuzzy Hash: CAF0F972554218AB8623EF68F9C6D1B7BDDBB45710FA61845F048EB502CB30FC908B64

Function 00365C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00365C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00365C6F
MessageBeep.USER32(00000000), ref: 00365C87
KillTimer.USER32(?,0000040A), ref: 00365CA3
EndDialog.USER32(?,00000001), ref: 00365CBD

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 53aee9099152ec2b0535d1c9a1a31209989236bfe4654cd06141e11e6b3540eb
Instruction ID: 3a567640a5681075b5648bd0ddf493a0267313c9a5e9da601f74cb5514dbd0b3
Opcode Fuzzy Hash: 53aee9099152ec2b0535d1c9a1a31209989236bfe4654cd06141e11e6b3540eb
Instruction Fuzzy Hash: EE01A430510B04AFEB225B10DD4EFA67BBCBF00B05F04556AB583A14E5DBF5A984CB90

Function 003322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003322BE

Part of subcall function 003329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000), ref: 003329DE
Part of subcall function 003329C8: GetLastError.KERNEL32(00000000,?,0033D7D1,00000000,00000000,00000000,00000000,?,0033D7F8,00000000,00000007,00000000,?,0033DBF5,00000000,00000000), ref: 003329F0

_free.LIBCMT ref: 003322D0
_free.LIBCMT ref: 003322E3
_free.LIBCMT ref: 003322F4
_free.LIBCMT ref: 00332305

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8cbb4092f5841acfc30dcc5afaafb7c148dc8391c2f5650af44ad2e6eae14ac9
Instruction ID: 26a8ca587d1e474627e6e0a2d0f6f84bed58861cd11d381b33bb53f28d5f546e
Opcode Fuzzy Hash: 8cbb4092f5841acfc30dcc5afaafb7c148dc8391c2f5650af44ad2e6eae14ac9
Instruction Fuzzy Hash: 47F05E748122309B8627AF54BC81E0F3B6CF719B60F15194BF414DA2B1C7321822AFE5

Function 003195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003195D4
StrokeAndFillPath.GDI32(?,?,003571F7,00000000,?,?,?), ref: 003195F0
SelectObject.GDI32(?,00000000), ref: 00319603
DeleteObject.GDI32 ref: 00319616
StrokePath.GDI32(?), ref: 00319631

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 21f55eb704436a0bb04639e73b815bb2ef3547809a10b9d22526aacd1b7ffb8b
Instruction ID: ce770d821cf1b38a8160cbfb53bdab41a074893a2edec8c8fa547e0a6154d4c7
Opcode Fuzzy Hash: 21f55eb704436a0bb04639e73b815bb2ef3547809a10b9d22526aacd1b7ffb8b
Instruction Fuzzy Hash: 14F0EC31026204EBDB175F65FD3C7A43B69AB09332F048216F465591F1C7358995DFB4

Function 00330F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003310F9
__freea.LIBCMT ref: 00331117

Part of subcall function 00331537: _free.LIBCMT ref: 0033154F

Strings

am/pm, xrefs: 0033117A
a/p, xrefs: 003311DE

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 40a049ab78036e28120db5667f7659514e4758290e1c084df6d373e6db2967a7
Instruction ID: e09a8b625a68fab37ccc395b9b7b90c7112ba2dfaa1f2c61fd5055b0e10bbba6
Opcode Fuzzy Hash: 40a049ab78036e28120db5667f7659514e4758290e1c084df6d373e6db2967a7
Instruction Fuzzy Hash: 98D11439D00206CADB2B9F68C8D5BFEB7B4FF05320F294219E9419BA55D3759D80CB91

Function 003861D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00320242: EnterCriticalSection.KERNEL32(003D070C,003D1884,?,?,0031198B,003D2518,?,?,?,003012F9,00000000), ref: 0032024D
Part of subcall function 00320242: LeaveCriticalSection.KERNEL32(003D070C,?,0031198B,003D2518,?,?,?,003012F9,00000000), ref: 0032028A

Part of subcall function 003200A3: __onexit.LIBCMT ref: 003200A9

__Init_thread_footer.LIBCMT ref: 00386238

Part of subcall function 003201F8: EnterCriticalSection.KERNEL32(003D070C,?,?,00318747,003D2514), ref: 00320202
Part of subcall function 003201F8: LeaveCriticalSection.KERNEL32(003D070C,?,00318747,003D2514), ref: 00320235

Part of subcall function 0037359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003735E4
Part of subcall function 0037359C: LoadStringW.USER32(003D2390,?,00000FFF,?), ref: 0037360A

Strings

x#=, xrefs: 00386353
x#=, xrefs: 0038636F
x#=, xrefs: 0038633A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#=$x#=$x#=
API String ID: 1072379062-3174260402
Opcode ID: 9b1b928b946f962e7c731718db0456a8cfc111bb75f0d859af4ea3fc485d119a
Instruction ID: 5b934d9e820b188f4eda5cb29e9e1345ed15c237369723db34d1c070bb98d13f
Opcode Fuzzy Hash: 9b1b928b946f962e7c731718db0456a8cfc111bb75f0d859af4ea3fc485d119a
Instruction Fuzzy Hash: 75C1B171A00205AFCB16EF58D892EBEB7B9FF49300F1180A9F9059B291DB70ED45CB90

Function 00335AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO0, xrefs: 00335BA8, 00335C6C

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID: JO0
API String ID: 0-3547640418
Opcode ID: d82fd4e8d7a2ef540b36ba04155c1609c5cd8901e3b02041803ce49870892776
Instruction ID: 916190adccf1b0ace781ef8e7dbaa34681abc955063b793b060b57361994ebb5
Opcode Fuzzy Hash: d82fd4e8d7a2ef540b36ba04155c1609c5cd8901e3b02041803ce49870892776
Instruction Fuzzy Hash: ED51AE75D00619AFCB239FA4D8C5FEEBBB8AF06314F15045AF405AB292D7319A01CB61

Function 00338A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00338B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00338B7A
__dosmaperr.LIBCMT ref: 00338B81

Strings

.2, xrefs: 00338A63

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .2
API String ID: 2434981716-1634799438
Opcode ID: cde79c5e55894e2667534a50bc9507cecd9e003d5296bccb1462aec764951605
Instruction ID: 8e7b78b6a30508be4ca56941ed4fe8f46e8a5e4e2264d70ce09a3c5b8b02dfe4
Opcode Fuzzy Hash: cde79c5e55894e2667534a50bc9507cecd9e003d5296bccb1462aec764951605
Instruction Fuzzy Hash: A841B0B0608246AFCB279F28DCC0A7DBFE9DF46304F2845AAF4948B552DE31CC028790

Function 00362716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0036B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003621D0,?,?,00000034,00000800,?,00000034), ref: 0036B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00362760

Part of subcall function 0036B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0036B3F8

Part of subcall function 0036B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0036B355
Part of subcall function 0036B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00362194,00000034,?,?,00001004,00000000,00000000), ref: 0036B365
Part of subcall function 0036B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00362194,00000034,?,?,00001004,00000000,00000000), ref: 0036B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0036281A

Strings

@, xrefs: 00362832

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 95fc352b2791c9c2f9a2a4e3eada1ea5a759215e775d34927b1a260ea0e9b542
Instruction ID: 02f59ee8669b168ca829681e00eb641fa0c896e6dfa493aae2ca44fc0e0fdb68
Opcode Fuzzy Hash: 95fc352b2791c9c2f9a2a4e3eada1ea5a759215e775d34927b1a260ea0e9b542
Instruction Fuzzy Hash: 29413D76A00218AFDB11DFA4CD41EEEBBB8AF05300F118055FA55BB185DB716E85CBA0

Function 0033172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00331769
_free.LIBCMT ref: 00331834
_free.LIBCMT ref: 0033183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00331760, 00331767, 00331796, 003317CE

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: f01920e7648d9f10e287c09f781411a32fab729c1d65f3e157079ae80efbb250
Instruction ID: 5480d01c69211d7b96293aca87a71a0a44f7e9cd1cee025674b556d2f45f381d
Opcode Fuzzy Hash: f01920e7648d9f10e287c09f781411a32fab729c1d65f3e157079ae80efbb250
Instruction Fuzzy Hash: 32314C75A00218BFDB23DB99ACC5D9EBBBCEB85310F1541A6E8049B211D6718A40CBA4

Function 0036C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0036C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0036C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003D1990,015E5850), ref: 0036C395

Strings

0, xrefs: 0036C2DF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: fc8961b8211180cf2418b5e0e54ab7e38df6d4f3b38069ce69298e62b346b5f7
Instruction ID: 6fcc0a97d7374aa250171526d5716d10a7e97715aa8d88c0ce829109005d9f51
Opcode Fuzzy Hash: fc8961b8211180cf2418b5e0e54ab7e38df6d4f3b38069ce69298e62b346b5f7
Instruction Fuzzy Hash: 4B41D2352143019FD722DF25D844B2ABBE8AF85310F21DA1EF9A59B3D5C734E804CB62

Function 00394416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0039CC08,00000000,?,?,?,?), ref: 003944AA
GetWindowLongW.USER32 ref: 003944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003944D7

Strings

SysTreeView32, xrefs: 0039447C

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 1c1037035ae0dfd92d77700c57ac97a8a6b0339260972cb1c3a91677126b2acf
Instruction ID: e6b2584fdc29152697bbf124d0f68c8dbbb34065cc2ebccc9ad7fa7783adf459
Opcode Fuzzy Hash: 1c1037035ae0dfd92d77700c57ac97a8a6b0339260972cb1c3a91677126b2acf
Instruction Fuzzy Hash: 8931CD32210205AFDF228E78DC45FEA7BA9EB09334F224315F979921D0D770EC519B50

Function 00366E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00366EED
VariantCopyInd.OLEAUT32(?,?), ref: 00366F08
VariantClear.OLEAUT32(?), ref: 00366F12

Strings

*j6, xrefs: 00366E8B, 00366E90, 00366EF8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j6
API String ID: 2173805711-2587036816
Opcode ID: b64e63dbd9dc9811d0df97d7116f084ce9dcbae8f376bce75d0c5bf57e746566
Instruction ID: 21741d73ffa72be9554e106d5f3f44ac4496078d5a600d299dc31a27b41ae766
Opcode Fuzzy Hash: b64e63dbd9dc9811d0df97d7116f084ce9dcbae8f376bce75d0c5bf57e746566
Instruction Fuzzy Hash: 58319171605245DFCB07AFA4E8A29BE777AEF85344B10449DF9024F2A1CB359D22DB90

Function 0038304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0038335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00383077,?,?), ref: 00383378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0038307A
_wcslen.LIBCMT ref: 0038309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00383106

Strings

255.255.255.255, xrefs: 00383095, 0038309A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: e3b7f9d5945b119249ebe4870e5351de2bf227992d6de314be4fd57c9aa4e64c
Instruction ID: da06d398cdf94b17a1496a0e7efccb9a5f285054c26f6d7ad7090aebdd82c56a
Opcode Fuzzy Hash: e3b7f9d5945b119249ebe4870e5351de2bf227992d6de314be4fd57c9aa4e64c
Instruction Fuzzy Hash: 2131F379604301DFCB12EF28C485EAA77E0EF14B18F258099E8168F792CB72EE41C760

Function 00393EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00393F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00393F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00393F78

Strings

SysMonthCal32, xrefs: 00393F0B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f1a6fc2bd9df7d1b006a3a5611594e4530c218660c793e74d254f73152341642
Instruction ID: 22e8cf18ab7f64bfdd01bb07b66262e1f8bd5d527ff0c11b0244028e409906db
Opcode Fuzzy Hash: f1a6fc2bd9df7d1b006a3a5611594e4530c218660c793e74d254f73152341642
Instruction Fuzzy Hash: 37219C72610219BFDF228F50DC46FEA3B79EF48714F110215FA16AB1D0D6B1AD508BA0

Function 00394653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00394705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00394713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0039471A

Strings

msctls_updown32, xrefs: 00394684

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b905d71df655fdf4b628348b4e9797dd80c722ba10f8a0ca179731167be38f52
Instruction ID: a9cfe61e5ae8993b84ea70dd15337b13bd0108261918484d4cf0c55dec85f434
Opcode Fuzzy Hash: b905d71df655fdf4b628348b4e9797dd80c722ba10f8a0ca179731167be38f52
Instruction Fuzzy Hash: B82160B5601208AFDB12DF64DCD1DBB37ADEB4A394B050059FA109B291DB31EC12CB60

Function 003695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0036961D

Strings

#OnAutoItStartRegister, xrefs: 003695F3
#notrayicon, xrefs: 003695B7
#requireadmin, xrefs: 003695D9

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f5c7d57f9bde6a8bf99f62d26583c8754aad5a71ca4189c2dc5ef3d8a76569e8
Instruction ID: 4d187dffed7113fb46a4987d7dee938ddec63dde22f299939ac6a6b62113d1f6
Opcode Fuzzy Hash: f5c7d57f9bde6a8bf99f62d26583c8754aad5a71ca4189c2dc5ef3d8a76569e8
Instruction Fuzzy Hash: A8215B7220462166C733AB24DC02FB773DC9F52310F15802BFA4ADB089EB71AD45C295

Function 003937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00393840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00393850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00393876

Strings

Listbox, xrefs: 0039380F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7c25e02be2c4986c8d418aa9f3c7a17a8ed6234b1d90f80ca78e8f09fa799f0f
Instruction ID: f5886601b15e88346fa362cbe72264bfe747e661c0d0d13d9b6b8c6eaa85ca6c
Opcode Fuzzy Hash: 7c25e02be2c4986c8d418aa9f3c7a17a8ed6234b1d90f80ca78e8f09fa799f0f
Instruction Fuzzy Hash: 6221D4B2614118BBEF238F94CC45FBB376EEF89750F118114F9009B190C672DC5187A0

Function 003749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00374A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00374A5C
SetErrorMode.KERNEL32(00000000,?,?,0039CC08), ref: 00374AD0

Strings

%lu, xrefs: 00374A6F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7bffd06cf8661484e9323169bbe58d9d18b6c6be25358c9a873a6cb291c0b273
Instruction ID: 5a57f3e9a230095e79208edf32d5a03a180d4224b8c23ad56d8a7d202b70e8c7
Opcode Fuzzy Hash: 7bffd06cf8661484e9323169bbe58d9d18b6c6be25358c9a873a6cb291c0b273
Instruction Fuzzy Hash: BD315175A00109AFDB12DF64C985EAA7BF8EF08308F1480A9F909DF252D775ED45CB61

Function 003941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0039424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00394264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00394271

Strings

msctls_trackbar32, xrefs: 00394226

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a7966b7b49781589e7c8205897f34c5f646549fc7f233bba2a2241cb0a21129e
Instruction ID: a9e5c6b9232910eeecb24f3656f40e874488b8aac1bc28485487e2f31ec62301
Opcode Fuzzy Hash: a7966b7b49781589e7c8205897f34c5f646549fc7f233bba2a2241cb0a21129e
Instruction Fuzzy Hash: 32110632240208BEEF225F39CC06FAB7BACEF85B54F120524FA95E6090D271DC529B20

Function 00362F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A

Part of subcall function 00362DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00362DC5
Part of subcall function 00362DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00362DD6
Part of subcall function 00362DA7: GetCurrentThreadId.KERNEL32 ref: 00362DDD
Part of subcall function 00362DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00362DE4

GetFocus.USER32 ref: 00362F78

Part of subcall function 00362DEE: GetParent.USER32(00000000), ref: 00362DF9

GetClassNameW.USER32(?,?,00000100), ref: 00362FC3
EnumChildWindows.USER32(?,0036303B), ref: 00362FEB

Strings

%s%d, xrefs: 00362FFF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e1d2bc40ee3fafb26dfeb961d73a732771a974f42b421407e46417363f178f74
Instruction ID: 53f2d3486dff8ccfcc63054245f8568786c2d7b8a94462155d572b4eda3424cd
Opcode Fuzzy Hash: e1d2bc40ee3fafb26dfeb961d73a732771a974f42b421407e46417363f178f74
Instruction Fuzzy Hash: C911E1B12002056BCF06BF74CC96FEE376AAF84304F048075F9099F29ADE7099498B70

Function 00395882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003958EE
DrawMenuBar.USER32(?), ref: 003958FD

Strings

0, xrefs: 0039588F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b1153be92483463c6fd3ba1133799beefd97bdc35099f052932f72f3fd8a9bc2
Instruction ID: cf33057b563f3d76278481efe705788777226ba9d9ef70931be91bf3b5cbf7c7
Opcode Fuzzy Hash: b1153be92483463c6fd3ba1133799beefd97bdc35099f052932f72f3fd8a9bc2
Instruction Fuzzy Hash: 80015B32504218EFDF239F22DC44BAEBBB8FB45761F10809AE849DA151DB308AC4DF21

Function 0036007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d10db9b26a01c5b8f0a9d3ea5cfd68e36f834312de913d3a1dac3fe02b4d20
Instruction ID: 52c26a2446ed5583a7e1d056b5087da484812de02bea23e342340358171e2120
Opcode Fuzzy Hash: 76d10db9b26a01c5b8f0a9d3ea5cfd68e36f834312de913d3a1dac3fe02b4d20
Instruction Fuzzy Hash: DDC16D75A00206EFCB19CFA4C895EAEB7B5FF49304F218598E505EB255D731ED41CB90

Function 0038342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00383459
CoUninitialize.OLE32 ref: 00383463
VariantInit.OLEAUT32(?), ref: 0038346E
VariantClear.OLEAUT32(?), ref: 0038371B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f8575c865ec65387ee6f0799928b3bd3cb76a7468af592e6c81b6d190a43e6c4
Instruction ID: bc9d410b0f135ab98f019185ab2b842a7fb15997a2f259ed59f9eca9d7ed94e8
Opcode Fuzzy Hash: f8575c865ec65387ee6f0799928b3bd3cb76a7468af592e6c81b6d190a43e6c4
Instruction Fuzzy Hash: 35A15E756043019FC702EF28C895A6AB7E5FF89714F058899F9899F3A1DB30EE41CB51

Function 00360436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0039FC08,?), ref: 003605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0039FC08,?), ref: 00360608
CLSIDFromProgID.OLE32(?,?,00000000,0039CC40,000000FF,?,00000000,00000800,00000000,?,0039FC08,?), ref: 0036062D
_memcmp.LIBVCRUNTIME ref: 0036064E

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: de08401ea043875c4ebb643f41017b52a4fac9a363ac03329b313c8e996284c6
Instruction ID: 85d3acfa5b2d01c4fd203b71e3eaee26d82976f64949d758d1fb582405aad7b7
Opcode Fuzzy Hash: de08401ea043875c4ebb643f41017b52a4fac9a363ac03329b313c8e996284c6
Instruction Fuzzy Hash: 94812A71A00109EFCB05DF94C985EEEB7B9FF89315F208598E506AB254DB71AE06CF60

Function 0038A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0038A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0038A6BA

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Process32NextW.KERNEL32(00000000,?), ref: 0038A79C
CloseHandle.KERNEL32(00000000), ref: 0038A7AB

Part of subcall function 0031CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00343303,?), ref: 0031CE8A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 87eebed4782e30753af8b0120220c1d7c35a0a2f81d900d323de2fa5a8eade8d
Instruction ID: 3dfd74c79c8a1ebd340cf6f4d81c8b91968f635b25ca468386de4d91c3356be5
Opcode Fuzzy Hash: 87eebed4782e30753af8b0120220c1d7c35a0a2f81d900d323de2fa5a8eade8d
Instruction Fuzzy Hash: 80518F715083009FD715EF24C896E6BBBE8FF89754F00895EF5859B292EB30D904CBA2

Function 00341391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003414C0

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c7037291d336eb24a8068678bb1b6f1d08dbc8778ce2ed2877f4791eb3b2f39d
Instruction ID: 31e06b408395a66a7ae64e3d635d00000a371028fd7a36c296bfb75356c96ef3
Opcode Fuzzy Hash: c7037291d336eb24a8068678bb1b6f1d08dbc8778ce2ed2877f4791eb3b2f39d
Instruction Fuzzy Hash: 4F417F35A00A10AFDB236BBAAC857BE3AF8EF42370F150625F418DE391E77458C15761

Function 00396278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003962E2
ScreenToClient.USER32(?,?), ref: 00396315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00396382

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 54329510fc6d275d45c82a91d5d195499a96970cd17f04ae011b77a0d36ddebf
Instruction ID: 2d784da7299545baa55a08e8accf5a9ee0b6c3c79f2b12895cd0165160675c98
Opcode Fuzzy Hash: 54329510fc6d275d45c82a91d5d195499a96970cd17f04ae011b77a0d36ddebf
Instruction Fuzzy Hash: 7C517D74A01209EFDF12CF68D8819AE7BB5FF45360F11815AF8159B2A0D730ED81CB90

Function 00381AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00381AFD
WSAGetLastError.WSOCK32 ref: 00381B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00381B8A
WSAGetLastError.WSOCK32 ref: 00381B94

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 4957a36737b3d8f3188c451d941d3da237bb5d04367db6703869cc2f90b88523
Instruction ID: 2a739b99fd5587261e5e087ffc1a404525ffd43303d48a5e3047b00492cb9463
Opcode Fuzzy Hash: 4957a36737b3d8f3188c451d941d3da237bb5d04367db6703869cc2f90b88523
Instruction Fuzzy Hash: A741C4746003006FE726AF24C896F6977E9AB44718F548498F91A9F3D2D772ED82CB90

Function 0033B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c320f3d57bb25b782b26b2a6442b27014fec83031f45f5f47649534565153406
Instruction ID: bc5a5275b56089b36ff00e18f4ab288883531c51482d146707d83ec8e398c6a0
Opcode Fuzzy Hash: c320f3d57bb25b782b26b2a6442b27014fec83031f45f5f47649534565153406
Instruction Fuzzy Hash: D8410675A00714AFE7269F78CC81B6ABBE9EF89710F10462EF241DF692D771A9418780

Function 003756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00375783
GetLastError.KERNEL32(?,00000000), ref: 003757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003757FA

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 0f9f3d2ece9330077487f5245a8caa37d85b3b76cb51ef935f963c1934e4ee6f
Instruction ID: 602d80ce586b2a470c4053cf64ec26b0b4f1df38b1390c7bb7ef64432a5c93d6
Opcode Fuzzy Hash: 0f9f3d2ece9330077487f5245a8caa37d85b3b76cb51ef935f963c1934e4ee6f
Instruction Fuzzy Hash: AA412F39600610DFCB26DF19C554A5EBBE5EF49720B19C488E84A5F3A2CB75FD40CB91

Function 0033D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00326D71,00000000,00000000,003282D9,?,003282D9,?,00000001,00326D71,?,00000001,003282D9,003282D9), ref: 0033D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0033D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0033D9AB
__freea.LIBCMT ref: 0033D9B4

Part of subcall function 00333820: RtlAllocateHeap.NTDLL(00000000,?,003D1444,?,0031FDF5,?,?,0030A976,00000010,003D1440,003013FC,?,003013C6,?,00301129), ref: 00333852

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: eafd0a8be68d2f95fd60c58c27c4a5105865de75843e0d9c607fd68f1124fe41
Instruction ID: fec3a4533c30cebc5dd582491b0419c3aa55c8eba32490e01f6c62b1c5341da5
Opcode Fuzzy Hash: eafd0a8be68d2f95fd60c58c27c4a5105865de75843e0d9c607fd68f1124fe41
Instruction Fuzzy Hash: BD31C172A0021AABDF26DF64EC81EAF7BA9EB41310F064169FC04DB151EB35DD54CBA0

Function 003952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00395352
GetWindowLongW.USER32(?,000000F0), ref: 00395375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00395382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003953A8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 22e0be1532d3299d498da493e977721984f322d16a74e4398191d4b97304f5c4
Instruction ID: 23f1c499ab7c850baeaa46ee8b86f47be37cfbccf4b87d1945abd2429d6b2591
Opcode Fuzzy Hash: 22e0be1532d3299d498da493e977721984f322d16a74e4398191d4b97304f5c4
Instruction Fuzzy Hash: 8D31E338A55A08FFEF339E54CC95BE87769AB05390F594102FA10961E1C7B19DC09B41

Function 0036AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0036ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0036AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0036AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0036ACC6

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 69dd830c121d08ed2d8742de4091599994882107dcc4172266a38f5991956d21
Instruction ID: 7ee2d273d994eca789c2a720de06d969bfe3bb020c656f136334dd7b620e03bf
Opcode Fuzzy Hash: 69dd830c121d08ed2d8742de4091599994882107dcc4172266a38f5991956d21
Instruction Fuzzy Hash: EC313B70A04B186FEF37CB658C087FA7BA9AB45310F04C31BE485E61D8C375D9819B62

Function 00397674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0039769A
GetWindowRect.USER32(?,?), ref: 00397710
PtInRect.USER32(?,?,00398B89), ref: 00397720
MessageBeep.USER32(00000000), ref: 0039778C

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0ca82f43ecf73bff78a7cdc7224bfe7fa2987e61ac5188dfd6ad9bc7fe10213d
Instruction ID: a7286d5ec30854848a7bf3d95cc57a6877944e77ea0036c35614842f25a55bcc
Opcode Fuzzy Hash: 0ca82f43ecf73bff78a7cdc7224bfe7fa2987e61ac5188dfd6ad9bc7fe10213d
Instruction Fuzzy Hash: A5417A34A19214EFCF13CF98D894EA9B7F9BB49354F1A40A9E8149B2A1C731A941CB90

Function 003916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003916EB

Part of subcall function 00363A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00363A57
Part of subcall function 00363A3D: GetCurrentThreadId.KERNEL32 ref: 00363A5E
Part of subcall function 00363A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003625B3), ref: 00363A65

GetCaretPos.USER32(?), ref: 003916FF
ClientToScreen.USER32(00000000,?), ref: 0039174C
GetForegroundWindow.USER32 ref: 00391752

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 615a5a706cde827a99276dd141cca80e5ce5d41b7bcac3092f7bddb811c10863
Instruction ID: 19dd0e09aca456d85433144c2c76dcb6ed199e81c60f8c8ecf6db457253fe5cf
Opcode Fuzzy Hash: 615a5a706cde827a99276dd141cca80e5ce5d41b7bcac3092f7bddb811c10863
Instruction Fuzzy Hash: 1B316475D01149AFDB01EFA9C891CAEB7FDEF48304B5080AAE415EB251DB31DE45CBA1

Function 0036DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00307620: _wcslen.LIBCMT ref: 00307625

_wcslen.LIBCMT ref: 0036DFCB
_wcslen.LIBCMT ref: 0036DFE2
_wcslen.LIBCMT ref: 0036E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0036E018

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: b74c36afda8b22616061261bd2cfa7a4e10a77dbdc6eb5bbecc7dbcb49d3ae80
Instruction ID: ba474182a29e90daf4b840f850ea8956651d2f774e973bd00bb3ff2f9e91061f
Opcode Fuzzy Hash: b74c36afda8b22616061261bd2cfa7a4e10a77dbdc6eb5bbecc7dbcb49d3ae80
Instruction Fuzzy Hash: D621A375D00214EFCB229FA8D981BAEB7F8EF45750F158065E805BF285D7B09E418BA1

Function 00398FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2

GetCursorPos.USER32(?), ref: 00399001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00357711,?,?,?,?,?), ref: 00399016
GetCursorPos.USER32(?), ref: 0039905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00357711,?,?,?), ref: 00399094

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 872ea858dd46cef540e8b6408dd401d6ebef430ec81e9b7a312b0b13191c192c
Instruction ID: 226593210f522485851ced0d9c60dd56910e959b8844acb4dbf206e6a507b2d5
Opcode Fuzzy Hash: 872ea858dd46cef540e8b6408dd401d6ebef430ec81e9b7a312b0b13191c192c
Instruction Fuzzy Hash: 15219F35600018FFCF278F99D858FEA7BB9EB4A350F05409AF9154B261C3329DA0DB60

Function 0036D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0039CB68), ref: 0036D2FB
GetLastError.KERNEL32 ref: 0036D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0036D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0039CB68), ref: 0036D376

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 5dfb24459bcb769a3739decd0f95d868b2440112b017dd7b9dee66015e0a3f46
Instruction ID: 3cb4116b9cda4b7d60617fb38762c21624f6dfd7c47aeb4775325f818bd176f8
Opcode Fuzzy Hash: 5dfb24459bcb769a3739decd0f95d868b2440112b017dd7b9dee66015e0a3f46
Instruction Fuzzy Hash: 3A21A374A053019FC712DF28C88186A77E8EE56324F608A1EF499CB3E1E731D945CB93

Function 00361571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00361014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0036102A
Part of subcall function 00361014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00361036
Part of subcall function 00361014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00361045
Part of subcall function 00361014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0036104C
Part of subcall function 00361014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00361062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003615BE
_memcmp.LIBVCRUNTIME ref: 003615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00361617
HeapFree.KERNEL32(00000000), ref: 0036161E

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 950a2733087c1aba0386404427ce0fcdda6825f2c86385052e47685fc958c124
Instruction ID: eae9c7da524c09775642fc981fdc018adb8f3fc6023fadf3baf4a96723340a4d
Opcode Fuzzy Hash: 950a2733087c1aba0386404427ce0fcdda6825f2c86385052e47685fc958c124
Instruction Fuzzy Hash: 8A21AC31E00108EFDF11DFA8C945BEEBBB8EF44354F098459E841AB245E731AA05CBA0

Function 00392782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0039280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00392824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00392832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00392840

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: df18651dc4ea572be1274244c7c808a7da2577f442c4bda2614ffd3c503ba0aa
Instruction ID: 785846d1ff8323ab5d78cbeef98c46ca3634128c93a37271dbf8eb97a5c4d06a
Opcode Fuzzy Hash: df18651dc4ea572be1274244c7c808a7da2577f442c4bda2614ffd3c503ba0aa
Instruction Fuzzy Hash: E521C131209911BFDB16DB24CC54FAB7B99AF46324F158159F4268B6E2CB71FC42C790

Function 003678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00368D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0036790A,?,000000FF,?,00368754,00000000,?,0000001C,?,?), ref: 00368D8C
Part of subcall function 00368D7D: lstrcpyW.KERNEL32(00000000,?,?,0036790A,?,000000FF,?,00368754,00000000,?,0000001C,?,?,00000000), ref: 00368DB2
Part of subcall function 00368D7D: lstrcmpiW.KERNEL32(00000000,?,0036790A,?,000000FF,?,00368754,00000000,?,0000001C,?,?), ref: 00368DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00368754,00000000,?,0000001C,?,?,00000000), ref: 00367923
lstrcpyW.KERNEL32(00000000,?,?,00368754,00000000,?,0000001C,?,?,00000000), ref: 00367949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00368754,00000000,?,0000001C,?,?,00000000), ref: 00367984

Strings

cdecl, xrefs: 0036797B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1d789232b95346021f719a91a7f6be87ef55886d40cc51c06dcd2e9c494c600b
Instruction ID: aa18a0df29c8ba94f40c7b1cdcdd2206ab1dd654a0068e95bd31b12cb03a46fe
Opcode Fuzzy Hash: 1d789232b95346021f719a91a7f6be87ef55886d40cc51c06dcd2e9c494c600b
Instruction Fuzzy Hash: 6611E93A204302AFDB165F39D845D7A77E9FF49354B50802AF946CB268EB719811C761

Function 00397CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00397D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00397D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00397D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0037B7AD,00000000), ref: 00397D6B

Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 1983dabb9276a7234804a1d8723bf5ed55687e25889598eb1cecf75cc71ca0d4
Instruction ID: a29dc8f63fc6a2ff68c73c5e1dd025ecf8eefc55157d7ffff7d0891f72abaad2
Opcode Fuzzy Hash: 1983dabb9276a7234804a1d8723bf5ed55687e25889598eb1cecf75cc71ca0d4
Instruction Fuzzy Hash: 8311CD72225615AFCF129F28DC04AA63BA8AF46360F168325F839CB2F0D7318D51CB90

Function 00395660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003956BB
_wcslen.LIBCMT ref: 003956CD
_wcslen.LIBCMT ref: 003956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00395816

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 72603451784b724a873bd395ddeb58093b905250de9664af8827f7b9a16dc184
Instruction ID: 52a5da446298e0708086a5efaa79fcc6531182bdfd67c79bc480685c7769914f
Opcode Fuzzy Hash: 72603451784b724a873bd395ddeb58093b905250de9664af8827f7b9a16dc184
Instruction Fuzzy Hash: 4211B275A04618A6DF23DFA5DC85AEE77BCEF11764F104026FA15DA081EBB0DAC4CB60

Function 00331D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f63de19441f4a0e9d5c831163e4e9378ddb9e0d581ea3bde0f20e67c663cba
Instruction ID: d80bbf52d19c3802424777c3c75cd92396a12eaa1691693018e259324bcf9df5
Opcode Fuzzy Hash: 65f63de19441f4a0e9d5c831163e4e9378ddb9e0d581ea3bde0f20e67c663cba
Instruction Fuzzy Hash: D101ADB22096163EF6232A787CC0F37671DDF423B8F311326F521A51D2DB618C004160

Function 00361A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00361A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00361A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00361A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00361A8A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b8428e4e2bfffcfb6238df97931f41e1bd0cec4c39c3835f1f3b439f52115ead
Instruction ID: caae8b7b2bdfee8e235a8f049898be653de5ba864de9f78c0109a7fb334899e9
Opcode Fuzzy Hash: b8428e4e2bfffcfb6238df97931f41e1bd0cec4c39c3835f1f3b439f52115ead
Instruction Fuzzy Hash: CF11573A901219FFEB11DBA4C984FADFB78EB08350F244092EA00B7294C671AE50DB94

Function 0036E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0036E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0036E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0036E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0036E24D

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8d81a8bd7a941b7bff3c1e23a7b1eefb27013e7acc417d4ff1766c0bef8b10ff
Instruction ID: d73be572cea52244055b989ca57058c9da19d4f8835db785cc89846cc309cb21
Opcode Fuzzy Hash: 8d81a8bd7a941b7bff3c1e23a7b1eefb27013e7acc417d4ff1766c0bef8b10ff
Instruction Fuzzy Hash: 5711DBBA904254BFC703AFA8EC09A9E7FADAB45310F048656F924D3291D675CD0487A0

Function 0032D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0032CFF9,00000000,00000004,00000000), ref: 0032D218
GetLastError.KERNEL32 ref: 0032D224
__dosmaperr.LIBCMT ref: 0032D22B
ResumeThread.KERNEL32(00000000), ref: 0032D249

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 357f0872078b149449058ff340c7ae502c64beb4f62b61801b17546bbcef6652
Instruction ID: e4c6455111882b0ebff985dda2b44b5500fc97d66527ead06431fa0bd2f571ff
Opcode Fuzzy Hash: 357f0872078b149449058ff340c7ae502c64beb4f62b61801b17546bbcef6652
Instruction Fuzzy Hash: 5801D636415224BBDB135BA5FC09BAE7A6DDF81330F114619F925961D0CB718901C7A0

Function 00399EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00319BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00319BB2

GetClientRect.USER32(?,?), ref: 00399F31
GetCursorPos.USER32(?), ref: 00399F3B
ScreenToClient.USER32(?,?), ref: 00399F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00399F7A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8119746e8fd890be9f554a1eec576cb38457db4d83ba389aa71e109a7bf40959
Instruction ID: 7ec61d881a269f1eef9edb1c2de53ac7383bbf2096d40602bc5b9464accbe533
Opcode Fuzzy Hash: 8119746e8fd890be9f554a1eec576cb38457db4d83ba389aa71e109a7bf40959
Instruction Fuzzy Hash: B0115A3290051ABBDF12EFA9D845AEEB7BCFB05312F00045AF912E7140D330BA81CBA1

Function 0030600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0030604C
GetStockObject.GDI32(00000011), ref: 00306060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0030606A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 19a85b3c0556e7fc41b753f609be75f34273f6c1d86b06fd3f7a192d2371dd0e
Instruction ID: e383ed6c443f0d0aeb7d6af15935e455b3a0fd92dececc416b7103ab455dfade
Opcode Fuzzy Hash: 19a85b3c0556e7fc41b753f609be75f34273f6c1d86b06fd3f7a192d2371dd0e
Instruction Fuzzy Hash: 1B11AD72506508BFEF134FA4DC65EEBBBADEF083A4F050212FA0452050C7329C60EBA0

Function 00323B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00323B56

Part of subcall function 00323AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00323AD2
Part of subcall function 00323AA3: ___AdjustPointer.LIBCMT ref: 00323AED

_UnwindNestedFrames.LIBCMT ref: 00323B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00323B7C
CallCatchBlock.LIBVCRUNTIME ref: 00323BA4

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: dbbde2bc19ad5f165bace0c7f5b6639489c8659eaba3721a26f2f14f74f134bc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 8E012932100158BBDF126E95EC42EEB3F6AEF48754F054014FE485A121C736E961DBA0

Function 00333073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003013C6,00000000,00000000,?,0033301A,003013C6,00000000,00000000,00000000,?,0033328B,00000006,FlsSetValue), ref: 003330A5
GetLastError.KERNEL32(?,0033301A,003013C6,00000000,00000000,00000000,?,0033328B,00000006,FlsSetValue,003A2290,FlsSetValue,00000000,00000364,?,00332E46), ref: 003330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0033301A,003013C6,00000000,00000000,00000000,?,0033328B,00000006,FlsSetValue,003A2290,FlsSetValue,00000000), ref: 003330BF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b57bb966ea9cb284127da47aae9801c83b5a5819ef024d0996b3bb4230a484a5
Instruction ID: cae997e08d151ba5c9f21f74adae561b39da591f4079c25e63c5e548ea603be0
Opcode Fuzzy Hash: b57bb966ea9cb284127da47aae9801c83b5a5819ef024d0996b3bb4230a484a5
Instruction Fuzzy Hash: 2001F732312622ABCB374B78ACC4A677B9CAF05B61F218621F947E7150C722D901C6E0

Function 00367464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0036747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00367497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003674CA

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: b65c2e5ce0abc87eca89d46d7c57f785ff4c23b257e5df0a7d2e10acf35501fb
Instruction ID: d5f8b7b332f0cc16d14d418bf6336d474e9810714e341f22e134477d39b633e3
Opcode Fuzzy Hash: b65c2e5ce0abc87eca89d46d7c57f785ff4c23b257e5df0a7d2e10acf35501fb
Instruction Fuzzy Hash: 2D11E1B02053009BE7238F16DD0CBA27BFCEB00B08F90C16AA616D6055DB71E904CB60

Function 0036B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0036ACD3,?,00008000), ref: 0036B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0036ACD3,?,00008000), ref: 0036B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0036ACD3,?,00008000), ref: 0036B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0036ACD3,?,00008000), ref: 0036B126

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 4d2edb5ffeb0041bac02a231169afb708cab716caff2e9d0257419720b5e8650
Instruction ID: 098c9e1220791d3a45f0402581f1daab4bf1de5a2cf51d30e153a2cb0e3c7cff
Opcode Fuzzy Hash: 4d2edb5ffeb0041bac02a231169afb708cab716caff2e9d0257419720b5e8650
Instruction Fuzzy Hash: BD115E31C1151DE7CF029FE4D9596EEFF78FF0A711F118086D981B2149CB3196908B59

Function 00397E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00397E33
ScreenToClient.USER32(?,?), ref: 00397E4B
ScreenToClient.USER32(?,?), ref: 00397E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00397E8A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e4dcdf4b1aeb96605bf56d67a76795a475da22ed080f3454bb698be9071ae9c5
Instruction ID: 58adb467ac6c9bcc4b66496f122bc7e318ab713cb17ed2e137ea546634162bda
Opcode Fuzzy Hash: e4dcdf4b1aeb96605bf56d67a76795a475da22ed080f3454bb698be9071ae9c5
Instruction Fuzzy Hash: EB1142B9D0024AAFDB41DF98C884AEEBBF9FF08310F509066E915E3210D735AA54CF90

Function 00362DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00362DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00362DD6
GetCurrentThreadId.KERNEL32 ref: 00362DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00362DE4

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8a4fe7f19e1e68ce65ce7db13e9c7c2dd87b0369311a54aff80a758c4bbc4d03
Instruction ID: 0981be77ce495822c156be125a0da602311da3aca189119ba4e8a3c11d4817f6
Opcode Fuzzy Hash: 8a4fe7f19e1e68ce65ce7db13e9c7c2dd87b0369311a54aff80a758c4bbc4d03
Instruction Fuzzy Hash: 19E09271111624BBDB221B769C0DFEB3E6CFF42BA1F455416F105D10909AA6C840C6B0

Function 00398863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00319639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00319693
Part of subcall function 00319639: SelectObject.GDI32(?,00000000), ref: 003196A2
Part of subcall function 00319639: BeginPath.GDI32(?), ref: 003196B9
Part of subcall function 00319639: SelectObject.GDI32(?,00000000), ref: 003196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00398887
LineTo.GDI32(?,?,?), ref: 00398894
EndPath.GDI32(?), ref: 003988A4
StrokePath.GDI32(?), ref: 003988B2

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4c74df59e61eeb0213f53b189d66db64e0d78fa744def33d6beae08dd490423f
Instruction ID: cb31a9b7bdd83e00d20ccaa8560f2cdf30afbb6f4ccf36538a0581e2c6b0a509
Opcode Fuzzy Hash: 4c74df59e61eeb0213f53b189d66db64e0d78fa744def33d6beae08dd490423f
Instruction Fuzzy Hash: 94F03A36056259BBDB136F94AC09FCA3B5DAF0A310F048002FA11651E1C7765551CBF9

Function 003198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003198CC
SetTextColor.GDI32(?,?), ref: 003198D6
SetBkMode.GDI32(?,00000001), ref: 003198E9
GetStockObject.GDI32(00000005), ref: 003198F1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: c14c8645b93f0902e96b666f33a6f78105f44c5bb956cd10b79510bb5f5ad9b7
Instruction ID: 9541b98ab9ea711b76f1dfe76f7302cf80f4f6c00d23481a3e49f71c0c2b8d8b
Opcode Fuzzy Hash: c14c8645b93f0902e96b666f33a6f78105f44c5bb956cd10b79510bb5f5ad9b7
Instruction Fuzzy Hash: 90E06D31254280ABDB225B75BC09BE93F24AB12336F05821BFAFA980E1C7724644DB10

Function 0036162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00361634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003611D9), ref: 0036163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003611D9), ref: 00361648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003611D9), ref: 0036164F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8a52e01e920550d2d6b0c2ff614c013538027f4577ad08f2628263d7b7f8073d
Instruction ID: 35a872929527288e9c459694df9e96ed38c772d69b01cb7ca0b79e9676e1cda5
Opcode Fuzzy Hash: 8a52e01e920550d2d6b0c2ff614c013538027f4577ad08f2628263d7b7f8073d
Instruction Fuzzy Hash: 78E08635611211EBDB211FA09E0DB463B7CBF44791F19C809F645C9084D6358440C760

Function 0035D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0035D858
GetDC.USER32(00000000), ref: 0035D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0035D882
ReleaseDC.USER32(?), ref: 0035D8A3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b60d5e47f539ee1ceea9e7098e23f10fa7cdca3e9d8f3503fc191326af237468
Instruction ID: 3edef3ab4dd393778caf2a171198737e8cdb0d6ea79d44219a7724bed3b667db
Opcode Fuzzy Hash: b60d5e47f539ee1ceea9e7098e23f10fa7cdca3e9d8f3503fc191326af237468
Instruction Fuzzy Hash: 02E01AB1810205DFCF429FA0D808A6DBBB9FB08311F18A00AE806E7250CB3A9941EF50

Function 0035D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0035D86C
GetDC.USER32(00000000), ref: 0035D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0035D882
ReleaseDC.USER32(?), ref: 0035D8A3

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: db36e473f7d330250b5367eee535831b87fd552685f310025e2bba30ab2274fd
Instruction ID: 10cd86cd1543f19519fc740467703832fb78ffdfde99eadc92eb489b9e3a026f
Opcode Fuzzy Hash: db36e473f7d330250b5367eee535831b87fd552685f310025e2bba30ab2274fd
Instruction Fuzzy Hash: 0FE09AB5810205DFCF529FA0D80866DBBB9BB08311F18A44AE946E7250CB3A9941DF50

Function 00374D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00307620: _wcslen.LIBCMT ref: 00307625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00374ED4

Strings

LPT, xrefs: 00374DFB
*, xrefs: 00374E10

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 52ec7b36be480747dcf523c64a88dbecbb808d5d70de663d8673678040533732
Instruction ID: da56c5b5aa4965384ea5ac4abc4b920719116a2e2a4f627213df4c5391037f95
Opcode Fuzzy Hash: 52ec7b36be480747dcf523c64a88dbecbb808d5d70de663d8673678040533732
Instruction Fuzzy Hash: 99918075A002049FCB26DF58C494EAABBF5BF49304F19C099E40A9F7A2C735ED85CB91

Function 0032E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0032E30D

Strings

pow, xrefs: 0032E2E5, 0032E302

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 217239a449fdd0038f79847e0c5badb3c603cb8b12998f8378ab6b155eac4962
Instruction ID: ae39caf868694add03047262d0a7d1678523c19d6b388f206f3b3da162c3aa68
Opcode Fuzzy Hash: 217239a449fdd0038f79847e0c5badb3c603cb8b12998f8378ab6b155eac4962
Instruction Fuzzy Hash: 78516FB1A0C202D6CB37B718E9833BA3BACEF40741F354D58E4D6462E9DB358C919B46

Function 00387771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0035569E,00000000,?,0039CC08,?,00000000,00000000), ref: 003878DD

Part of subcall function 00306B57: _wcslen.LIBCMT ref: 00306B6A

CharUpperBuffW.USER32(0035569E,00000000,?,0039CC08,00000000,?,00000000,00000000), ref: 0038783B

Strings

<s<, xrefs: 003877C8

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s<
API String ID: 3544283678-4182610772
Opcode ID: cc648e7d150310f0d69d87def84c0ddf15983bc4416ac8918caacd76cbb957d9
Instruction ID: 8d3f625abbbb853ded38fdad42c3897aa97eaf2dcf7168aeb7cad137c3a56b6c
Opcode Fuzzy Hash: cc648e7d150310f0d69d87def84c0ddf15983bc4416ac8918caacd76cbb957d9
Instruction Fuzzy Hash: 41615E76925218ABCF06FBA4CCA2DFDB379BF14700B544169F542AB091EF309A45CBA0

Function 0031E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0031E1B1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6189780814ed4cd913529df5552ff6004962e6a077f16efeae8f0fca947816f4
Instruction ID: e5920fa7d40c58388759ec0879f59e82423c5fce53a7ef52bf344a5784018ed9
Opcode Fuzzy Hash: 6189780814ed4cd913529df5552ff6004962e6a077f16efeae8f0fca947816f4
Instruction Fuzzy Hash: 405110319002569FDB1FEF28C0A1AFA7BA8EF19311F244455FC919B2E0D6319E87CB90

Function 0031F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0031F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0031F2BB

Strings

@, xrefs: 0031F2AF

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f6928feb9e883e4f9d90d642c70103846a78e5ea7f9ac97fdccb88a5b4a2365a
Instruction ID: 056cadb344870c8748d20df177e92b220c169a02063c1742082f20370ae998f4
Opcode Fuzzy Hash: f6928feb9e883e4f9d90d642c70103846a78e5ea7f9ac97fdccb88a5b4a2365a
Instruction Fuzzy Hash: 565173728187459BD321AF10D896BABBBF8FB84304F81894CF2D9410A5EB309529CB67

Function 00385745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003857E0
_wcslen.LIBCMT ref: 003857EC

Strings

CALLARGARRAY, xrefs: 003857E6, 003857EB

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 5da75596c7912cbd13262bfcd080ad029f9b9f59931899b35dd9834f49164db2
Instruction ID: 023440702281a602f9f55451f15747d81a745b7018d913514a4c2c7fdc6aacb5
Opcode Fuzzy Hash: 5da75596c7912cbd13262bfcd080ad029f9b9f59931899b35dd9834f49164db2
Instruction Fuzzy Hash: DB41A231E002159FCB06EFA9C8819FEBBB5FF59310F1140AAE505AB291D7709D81CF90

Function 0037D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0037D13A

Strings

|, xrefs: 0037D10B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: cc2b102002e09781e0e493a42ae451e31d5e812ccd526fd5060fa5791e1fbc01
Instruction ID: 66e2d5b0184af89c649ceb1f3e4990f62c069f0a347c1b7409fd9e8f24a43e0d
Opcode Fuzzy Hash: cc2b102002e09781e0e493a42ae451e31d5e812ccd526fd5060fa5791e1fbc01
Instruction Fuzzy Hash: 08315071D01219ABCF12EFA4CD95AEE7FB9FF04300F004019F819AA166D735AA16CB60

Function 0039356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00393621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0039365C

Strings

static, xrefs: 003935BC

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8e09e7689dd656e1c6d52fb23b6b49a2196f074c7b7590528fe9e2f17804991d
Instruction ID: 3fa01195d2842aa1b70e5b42fd7c0b9febf07afaf726bba0d8248f2054706fa8
Opcode Fuzzy Hash: 8e09e7689dd656e1c6d52fb23b6b49a2196f074c7b7590528fe9e2f17804991d
Instruction Fuzzy Hash: 1A31ADB1110204AEEB12DF68DC80EFB73A9FF89720F019619F8A5D7280DA31AD91C760

Function 00394537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0039461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00394634

Strings

', xrefs: 0039458E

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: abce2c44f01568a2661b610bd62038242ab46e09c199634708f05f845dc06371
Instruction ID: d2022b13f867513d36af265eac51aad871ac9db6f15613db04530c1bdefd1ba0
Opcode Fuzzy Hash: abce2c44f01568a2661b610bd62038242ab46e09c199634708f05f845dc06371
Instruction Fuzzy Hash: 753117B5A013099FDF15CFA9D990BDABBB9FB0A300F15416AE905AB341D770A942CF90

Function 003931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0039327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00393287

Strings

Combobox, xrefs: 00393249

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0bb09582eb573d103a8f7994054025e83033fe8445dcdab5f8ab6dc850d81754
Instruction ID: df63ddbd6e9d6e711c90fc8f2e8bd57fc8059c77eb67ececb57d5955f5a98a90
Opcode Fuzzy Hash: 0bb09582eb573d103a8f7994054025e83033fe8445dcdab5f8ab6dc850d81754
Instruction Fuzzy Hash: 7A11E2B13002087FFF229F94DC80EBB376EEB94364F110929F9589B290D6319D518760

Function 00393710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0030600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0030604C
Part of subcall function 0030600E: GetStockObject.GDI32(00000011), ref: 00306060
Part of subcall function 0030600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0030606A

GetWindowRect.USER32(00000000,?), ref: 0039377A
GetSysColor.USER32(00000012), ref: 00393794

Strings

static, xrefs: 00393757

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1a6cd46651c306ea818ce5233d8f7b84bb810558eb891328dd937345d9eeff72
Instruction ID: c595abc35959064f6ad4a4206296a616cbc8b6d0c420bccf771b21ba2e0ae302
Opcode Fuzzy Hash: 1a6cd46651c306ea818ce5233d8f7b84bb810558eb891328dd937345d9eeff72
Instruction Fuzzy Hash: 491137B261020AAFDF02DFA8CC46EEA7BB8FB09314F015915F955E2250E735E8619B60

Function 0037CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0037CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0037CDA6

Strings

<local>, xrefs: 0037CD66

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b3950b43cd133cc5cfbdfc6766f1eb84db40e4499eea0c3d30d7a10b617687df
Instruction ID: 3fc6c50f0525d2c8e2a1bbaf2165ef29ffa11cebe0c94ff418acd6759eccdc25
Opcode Fuzzy Hash: b3950b43cd133cc5cfbdfc6766f1eb84db40e4499eea0c3d30d7a10b617687df
Instruction Fuzzy Hash: E711C671225631BAD7364B668C85FE7BEACEF167A4F00922EB10D83180D7789C40D6F0

Function 00393429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003934BA

Strings

edit, xrefs: 0039348F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8a3d4e2251dc06da7a7e11fa0631f3df6943674ad7ac644b8133ef7d92250c21
Instruction ID: d179d6adb5383e8b5d6046a10acffa60a95f4c4b061097657a3467ef57c56f76
Opcode Fuzzy Hash: 8a3d4e2251dc06da7a7e11fa0631f3df6943674ad7ac644b8133ef7d92250c21
Instruction Fuzzy Hash: C2116AB2100208ABEF139F65DC44ABB37AEEB05378F524724F965971E0C772EC519B60

Function 00366C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

CharUpperBuffW.USER32(?,?,?), ref: 00366CB6
_wcslen.LIBCMT ref: 00366CC2

Strings

STOP, xrefs: 00366CBC, 00366CC1

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f2f93a540aec4d577d3282d88230c7e6df014dfb33f3bd0026917fe631e1afaf
Instruction ID: aede6be8f3d7ed1fb3456282fdc9e14aacaad2f6a015820685bd1288c0a55b63
Opcode Fuzzy Hash: f2f93a540aec4d577d3282d88230c7e6df014dfb33f3bd0026917fe631e1afaf
Instruction Fuzzy Hash: CE012B326009268BCB139FBDDC529BF77B8FF607907014539E452971D9EB31D840C650

Function 00361CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 00363CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00363CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00361D4C

Strings

ListBox, xrefs: 00361D16
ComboBox, xrefs: 00361CEB

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5d8c650cd02a445d5fd490c61e378e14d6bea5df38a30e1382c6824ca15e2d50
Instruction ID: 52905401c98192216e673e095f08acebcb63cd6585406af6f0b2c5fae80a523e
Opcode Fuzzy Hash: 5d8c650cd02a445d5fd490c61e378e14d6bea5df38a30e1382c6824ca15e2d50
Instruction Fuzzy Hash: 5301D871651214ABCB06FBA4CC51DFE7768EB56350F08451AF8229B3C6EA315D1897A0

Function 00361BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 00363CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00363CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00361C46

Strings

ListBox, xrefs: 00361C10
ComboBox, xrefs: 00361BE5

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7f918a199f450402e9f99abb76d3b07db9d14336ef8aaa13d1d4f8b595140b7b
Instruction ID: ced79dca776345b4e41ab830fe208f56f5111ce74ae730581aae397562491624
Opcode Fuzzy Hash: 7f918a199f450402e9f99abb76d3b07db9d14336ef8aaa13d1d4f8b595140b7b
Instruction Fuzzy Hash: CB01A775A8110467DB06EB90C962EFF77AC9B11340F18401AF5066B2CAEA60AE1897B1

Function 00361C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 00363CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00363CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00361CC8

Strings

ListBox, xrefs: 00361C94
ComboBox, xrefs: 00361C69

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 88dbde23bae09755c17d244a600880c85828db9df57aed548cb6ccc95e94d448
Instruction ID: 431d6993282d9c70cee932cf2a293b8f3afaa29da75b4123f72cffcbd2a530d4
Opcode Fuzzy Hash: 88dbde23bae09755c17d244a600880c85828db9df57aed548cb6ccc95e94d448
Instruction Fuzzy Hash: 370186B5A8115867DB17EBA4CA11FFF77AC9B11340F18401AB802B72C6EA619F08D771

Function 0031A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0031A529

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Strings

,%=, xrefs: 0031A509
3y5, xrefs: 0031A545, 0031A54D, 0031A552

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%=$3y5
API String ID: 2551934079-982647064
Opcode ID: 0cd488c931b9f30c3bff2fe3083cb72b5fc3ea26ed2ddd27af994304273eec1a
Instruction ID: a0354ac3ba438aa466ca5771eff197f6e5d205c5814452cf69662de1bb364348
Opcode Fuzzy Hash: 0cd488c931b9f30c3bff2fe3083cb72b5fc3ea26ed2ddd27af994304273eec1a
Instruction Fuzzy Hash: 08014732702A1087C90BF368B81BFEE735A8B0A711F400016F5012F2C3DE206D858697

Function 00361D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00309CB3: _wcslen.LIBCMT ref: 00309CBD

Part of subcall function 00363CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00363CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00361DD3

Strings

ListBox, xrefs: 00361DA0
ComboBox, xrefs: 00361D75

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 037a703cefc5a0c0b83567be94bd9884ed6401ab9b447bf7f7c60fc7fd7462fa
Instruction ID: aba727114b974b34597cb00ef96bbed8052b9671ab41d063cff1cb28b7096bc1
Opcode Fuzzy Hash: 037a703cefc5a0c0b83567be94bd9884ed6401ab9b447bf7f7c60fc7fd7462fa
Instruction Fuzzy Hash: 26F0C871F4121467DB06F7A4CC62FFFB77CAB02350F08491AF822AB2C6DA606D088360

Function 00398172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003D3018,003D305C), ref: 003981BF
CloseHandle.KERNEL32 ref: 003981D1

Strings

\0=, xrefs: 0039818A

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0=
API String ID: 3712363035-499741732
Opcode ID: c3486b466185352dc44f53b2e6dfaf5b4579d63023002ac813ac4d0177f6b8b1
Instruction ID: 8db42152385f9e680f62eea7aae35cdb4548b40c8c376ce8ee8d09c950665cd8
Opcode Fuzzy Hash: c3486b466185352dc44f53b2e6dfaf5b4579d63023002ac813ac4d0177f6b8b1
Instruction Fuzzy Hash: 27F05EF6641310BBE3226761BC45FB73B5CDB05750F000422BB0AD91A2D67A8E0483BA

Function 0038747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00387493
_wcslen.LIBCMT ref: 003874B9

Strings

3, 3, 16, 1, xrefs: 00387483

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: c874151520c392b93b004b1aacf909a406fd36d303bca9e49e486c6d4b895f80
Instruction ID: 5894a0a34a8150923a5d161a241ffbe31379ab1a5176976cbe9b7bb7c9938759
Opcode Fuzzy Hash: c874151520c392b93b004b1aacf909a406fd36d303bca9e49e486c6d4b895f80
Instruction Fuzzy Hash: 6FE02B16204330109233327BBCC5A7F568ACFC5750734186BF985C7266EBD4CDD193A0

Function 00360B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00360B23

Strings

AutoIt, xrefs: 00360B17
Error allocating memory., xrefs: 00360B1C

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e423769d591a96b31bfbc3f6bf2405cecb35cba5a96b9058a83a96cb5df98d96
Instruction ID: ee1cf59857063d0ff7eb51a1fc75cb3fd107497b22a01de708321d35c597fad4
Opcode Fuzzy Hash: e423769d591a96b31bfbc3f6bf2405cecb35cba5a96b9058a83a96cb5df98d96
Instruction Fuzzy Hash: 8CE048312553183AD61737947C43FD97A848F09F51F10446AF7589D5C38BE2649046B9

Function 00320D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0031F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00320D71,?,?,?,0030100A), ref: 0031F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0030100A), ref: 00320D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0030100A), ref: 00320D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00320D7F

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 167a4e1581eb446e531eb934473bb59e28c347c8bb37304a5146cb504eff6d08
Instruction ID: 8358ef332470bd115926010a7aa974abca672c300f67da09bf9ec149a6dbbb25
Opcode Fuzzy Hash: 167a4e1581eb446e531eb934473bb59e28c347c8bb37304a5146cb504eff6d08
Instruction Fuzzy Hash: 96E092742013118FDB379FB8F4043927BE4AF04740F004D2EE4C2C6652DBB1E4488B91

Function 0031E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0031E3D5

Strings

0%=, xrefs: 0031E3B5
8%=, xrefs: 0031E3CA

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%=$8%=
API String ID: 1385522511-2389475881
Opcode ID: 8b0e896e8382003051a41c62fd3ff537ff6c5f3195c1b8f4bcf129b438fd6741
Instruction ID: 60a5208ff32e484d882d5369311f5a1ab8a1b0008e0594dff3e941af4718e383
Opcode Fuzzy Hash: 8b0e896e8382003051a41c62fd3ff537ff6c5f3195c1b8f4bcf129b438fd6741
Instruction Fuzzy Hash: 99E02039C01A20CBC60F9758B858DC9735BBB1E320F5016A7E4228B1D29B3128818554

Function 00373017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0037302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00373044

Strings

aut, xrefs: 00373038

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e140bbd80fb0116ba4da07ccd4a20ad7ff552ec2c49f3c07287472b72044a89f
Instruction ID: 413d6729e24dc442b0fe39c8cf92bb0473f10b2d643e4f9e2639470b4244d7a6
Opcode Fuzzy Hash: e140bbd80fb0116ba4da07ccd4a20ad7ff552ec2c49f3c07287472b72044a89f
Instruction Fuzzy Hash: 5ED05EB650032877DE20A7A4AC0EFCB3A6CDB04750F0006A2B695E2091DBB19984CBE0

Function 0035D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0035D220

Strings

X64, xrefs: 0035D2A8
%.3d, xrefs: 0035D22B

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: c2bad3a2ca363e6c9e185706d43da75028a1687888a30741b209b0f5c6faf947
Instruction ID: a1ec3c7bdf18dcb982b34a3498487212421fd95ff95c33dcbb74cf50805fc609
Opcode Fuzzy Hash: c2bad3a2ca363e6c9e185706d43da75028a1687888a30741b209b0f5c6faf947
Instruction Fuzzy Hash: E6D01275808108E9CB6297D0CC45DF9B37CBB0C302F508856FC06D1850D624D54CABA1

Function 00392322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0039232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0039233F

Part of subcall function 0036E97B: Sleep.KERNEL32 ref: 0036E9F3

Strings

Shell_TrayWnd, xrefs: 00392325

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 48fb997790fc22fdbb124b9f5177f5bed8440ac449e0c578033750a53cc599da
Instruction ID: 7c55f362beb7e3ffeaa393c4bf3f89e509d8f2078dfa731814c7e74241380b95
Opcode Fuzzy Hash: 48fb997790fc22fdbb124b9f5177f5bed8440ac449e0c578033750a53cc599da
Instruction Fuzzy Hash: 2BD0C9363A4310B6E665A7719C0FFC6AA689F40B10F015916B645AA1D4C9A5A8058A54

Function 00392356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0039236C
PostMessageW.USER32(00000000), ref: 00392373

Part of subcall function 0036E97B: Sleep.KERNEL32 ref: 0036E9F3

Strings

Shell_TrayWnd, xrefs: 00392365

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 540b66834909ab866a5b4ff7bce79525e191a19edb3044e67c776cb7d43ce647
Instruction ID: 46f912d3600ee735ce41f2b34eb1cd4c59d34be6aa4b12b60b906968b8e9359e
Opcode Fuzzy Hash: 540b66834909ab866a5b4ff7bce79525e191a19edb3044e67c776cb7d43ce647
Instruction Fuzzy Hash: 13D0A9323903007AE666A3309C0FFC6A6289B00B00F004916B201EA0D4C9A0A8008A08

Function 0033BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0033BE93
GetLastError.KERNEL32 ref: 0033BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0033BEFC

Memory Dump Source

Source File: 00000000.00000002.1824836951.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.1824802110.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.000000000039C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1824952851.00000000003C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825052447.00000000003CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825088186.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 33e2ff508453a47361b45df6aa321a6b6de37afb3b0e0344899e70c9076de769
Instruction ID: d58af51c2173ec9374e6646b152439572b89d62ea3cc7a8a8b4207a1c7f7674c
Opcode Fuzzy Hash: 33e2ff508453a47361b45df6aa321a6b6de37afb3b0e0344899e70c9076de769
Instruction Fuzzy Hash: BA41E734604216EFCF238F68DCD4ABAFBA9EF41310F15516AFA599B1A1DB318D00CB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000B.00000002.1793672952.00000177DDF90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000002.1793672952.00000177DDF90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingz equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000002.1800365332.0000020E3CAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992347579.0000012EA69FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957204842.0000012EA6AC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900874032.0000012EA6AC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .S........[tlsflags0x00000000]www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010680822.0000012E9D8B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1994158301.0000012E9FF92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903260638.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959575762.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8:https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1959575762.0000012E9FFA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957204842.0000012EA6AC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989644969.0000012EA6432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1959055628.0000012EA487B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955963925.0000012EAACF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902062485.0000012EA487B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1955963925.0000012EAACD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989069575.0000012EAACAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972125475.0000012EA6AB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1972738194.0000012EA6465000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957490671.0000012EA6465000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975011423.0000012EA6465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010680822.0000012E9D8B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1994158301.0000012E9FF92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903260638.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959575762.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8~predictor-origin,:https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1994158301.0000012E9FF92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903260638.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959575762.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: :https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3027290511.000002EEA50A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.3026774298.000002323D400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsF] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3026846005.0000028D299C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsw equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957204842.0000012EA6AC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971962811.0000012EA6AC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900874032.0000012EA6AC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: >https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3026776489.000002EEA5074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.3027993986.000002323D5D4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028084937.0000028D29A84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2011823658.0000012E9C6F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsJ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000002.1800365332.0000020E3CABF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking--attempting-deelevation7 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000002.1793672952.00000177DDF90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking8 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000002.1793672952.00000177DDF90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\Desktop\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default> equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000002.1800365332.0000020E3CAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2012156347.0000012E9C6FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsJ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.3027993986.000002323D5D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3027993986.000002323D5D4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3026774298.000002323D400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3027290511.000002EEA50A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoP equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3027290511.000002EEA50AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/video\ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1955963925.0000012EAACD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: WindowGlobalParent.getActor: Window protocol 'Translations' doesn't match uri about:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1972125475.0000012EA6A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1972125475.0000012EA6A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1959055628.0000012EA48AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1992782253.0000012EA6438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906604695.0000012E9F5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.3027993986.000002323D5D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3026776489.000002EEA5070000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028084937.0000028D29A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3= equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992782253.0000012EA6438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989281450.0000012EAAC52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989644969.0000012EA6432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2012049545.0000012E9C693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: gramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2007601309.0000012E9E336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959575762.0000012E9FFA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957204842.0000012EA6AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1959055628.0000012EA487B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955963925.0000012EAACF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902062485.0000012EA487B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: file.exe, 00000000.00000002.1825595936.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870449991.0000012E9D3A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955963925.0000012EAACD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3028038855.000002EEA520A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028824758.0000028D29C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3028038855.000002EEA520A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028824758.0000028D29C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3028038855.000002EEA520A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028824758.0000028D29C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2006916379.0000012E9F019000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1984724517.0000012E9F019000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-nullprincipal:{96d3ad3f-f81d-43cb-9472-40cda6dd7bae}?https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000003.1793343056.00000177DDFAD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.1793705643.00000177DDFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: osk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000002.1793970307.00000177DFBA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s--kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationUser equals www.facebook.com (Facebook)
Source: file.exe, 00000000.00000003.1792105793.0000000000D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REg equals www.facebook.com (Facebook)
Source: recovery.jsonlz4.tmp.13.dr	String found in binary or memory: url":"https://www.facebook.com/video","title) equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1972738194.0000012EA6465000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2007601309.0000012E9E336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1992347579.0000012EA69E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010680822.0000012E9D8B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2001155871.0000012EAB56F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1847894608.0000012E9E4D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1986743337.0000012E9E4D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992347579.0000012EA69FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957204842.0000012EA6AC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900874032.0000012EA6AC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x.S........[tlsflags0x00000000]www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1959055628.0000012EA48AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1992782253.0000012EA6438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906604695.0000012E9F5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992782253.0000012EA6438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989281450.0000012EAAC52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989644969.0000012EA6432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xe=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1972125475.0000012EA6A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992782253.0000012EA6438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989281450.0000012EAAC52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1992347579.0000012EA69FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1994158301.0000012E9FF92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903260638.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959575762.0000012E9FF4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ~predictor-origin,:https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.115.113:443 -> 192.168.2.4:64876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:64963 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:64962 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:64961 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.115.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.115.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.115.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.115.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.115.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.115.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.115.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.115.113
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.115.113
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 64962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 64876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 64961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65114
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64876
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 64963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0fdd5269-5fd6-4aa1-a5d9-8ff725c1ecb4.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0fdd5269-5fd6-4aa1-a5d9-8ff725c1ecb4.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre