Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542874
MD5:	efc94402d2caa77bfd60f0284f19c149
SHA1:	8aaeeb9d5e835b3b7b0d80e5c61426b50562ac38
SHA256:	8a2ded047e3b5d5cf7425e1bc4bc720d2941a736b207191f4b3832d8b3d03fb7
Tags:	CredentialFlusherexeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 3992 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EFC94402D2CAA77BFD60F0284F19C149)

taskkill.exe (PID: 5932 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3720 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1732 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5820 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 796 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3264 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4312 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3612 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7240 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d2f54c-3382-4854-a701-1ab4e653a17d} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241e706ed10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7784 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3492 -parentBuildID 20230927232528 -prefsHandle 3296 -prefMapHandle 1004 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2f1bb6d-6f07-407d-844b-36996831da47} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241f8d5a310 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7656 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 33074 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52572232-28b6-441a-a52c-2028632fc4f5} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241f8689510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 3992	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0056EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0056EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0056ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0056EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0055AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00589576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00589576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1716219752.00000000005B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4b3f6aee-5
Source: file.exe, 00000000.00000000.1716219752.00000000005B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4c080a7c-c
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_22869c22-8
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7ee87a26-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000025472582377 NtQuerySystemInformation,		16_2_0000025472582377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000254725A7872 NtQuerySystemInformation,		16_2_00000254725A7872

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0055D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00551201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00551201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0055E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FBF40	0_2_004FBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00562046	0_2_00562046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8060	0_2_004F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00558298	0_2_00558298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052E4FF	0_2_0052E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052676B	0_2_0052676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00584873	0_2_00584873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FCAF0	0_2_004FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051CAA0	0_2_0051CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050CC39	0_2_0050CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00526DD9	0_2_00526DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050B119	0_2_0050B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F91C0	0_2_004F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511394	0_2_00511394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511706	0_2_00511706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051781B	0_2_0051781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050997D	0_2_0050997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F7920	0_2_004F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005119B0	0_2_005119B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00517A4A	0_2_00517A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511C77	0_2_00511C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00543CD2	0_2_00543CD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00517CA7	0_2_00517CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057BE44	0_2_0057BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00529EEE	0_2_00529EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511F32	0_2_00511F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 13_3_0000024CFF978986	13_3_0000024CFF978986
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000025472582377	16_2_0000025472582377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000254725A7872	16_2_00000254725A7872
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000254725A78B2	16_2_00000254725A78B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000254725A7F9C	16_2_00000254725A7F9C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0050F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00510A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004F9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/39@73/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005637B5 GetLastError,FormatMessageW,

0_2_005637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005510BF AdjustTokenPrivileges,CloseHandle,		0_2_005510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0055D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0056648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004F42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1928900698.0000024200B7E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d2f54c-3382-4854-a701-1ab4e653a17d} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241e706ed10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3492 -parentBuildID 20230927232528 -prefsHandle 3296 -prefMapHandle 1004 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2f1bb6d-6f07-407d-844b-36996831da47} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241f8d5a310 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 33074 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52572232-28b6-441a-a52c-2028632fc4f5} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241f8689510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d2f54c-3382-4854-a701-1ab4e653a17d} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241e706ed10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3492 -parentBuildID 20230927232528 -prefsHandle 3296 -prefMapHandle 1004 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2f1bb6d-6f07-407d-844b-36996831da47} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241f8d5a310 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 33074 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52572232-28b6-441a-a52c-2028632fc4f5} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241f8689510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1955036969.00000241F6688000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1955036969.00000241F6688000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00510A76 push ecx; ret

0_2_00510A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0050F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00581C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00581C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96426

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000025472582377 rdtsc

16_2_0000025472582377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0055DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005668EE FindFirstFileW,FindClose,	0_2_005668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0056698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0055D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0055D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00569642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00569642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0056979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00569B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00569B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00565C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00565C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Source: firefox.exe, 00000010.00000002.3575582508.0000025472470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfp
Source: firefox.exe, 0000000F.00000002.3571843749.000001BAB34CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUO
Source: firefox.exe, 0000000F.00000002.3571843749.000001BAB34CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3575582508.0000025472470000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3570572459.0000025471C5A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3570843151.0000019B5EA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3575641863.000001BAB3915000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3571843749.000001BAB34CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: firefox.exe, 00000010.00000002.3575582508.0000025472470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbz
Source: firefox.exe, 0000000F.00000002.3576415816.000001BAB3D49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWB
Source: firefox.exe, 00000010.00000002.3575582508.0000025472470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1s
Source: firefox.exe, 0000000F.00000002.3571843749.000001BAB34CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3576415816.000001BAB3D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000011.00000002.3575696360.0000019B5F000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000025472582377 rdtsc

16_2_0000025472582377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056EAA2 BlockInput,

0_2_0056EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00522622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00522622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00514CE8 mov eax, dword ptr fs:[00000030h]

0_2_00514CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00550B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00550B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00522622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00522622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0051083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005109D5 SetUnhandledExceptionFilter,	0_2_005109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00510C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00510C21

Source: C:\Users\user\Desktop\file.exe

0_2_00551201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00532BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00532BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055B226 SendInput,keybd_event,

0_2_0055B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005722DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00550B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00551663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00551663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1950420731.0000024202A09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00510698 cpuid

0_2_00510698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00568195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00568195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0054D27A GetUserNameW,

0_2_0054D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0052BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0052BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3992, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3992, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00571204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00571806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://support.mozilla.org/	0%	URL Reputation	safe
https://poczta.interia.pl/mh/?mailto=%s	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	0%	URL Reputation	safe
https://getpocket.com/firefox/new_tab_learn_more/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.65.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	216.58.206.78	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1933085590.00000241FA9A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1802697191.00000241FA9A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3572185732.0000025471FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3572521463.0000019B5EEC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1970981195.00000241F8958000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961328139.00000241FFA8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936565947.00000241FFA8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918894580.00000241F7E40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962720176.00000241F8958000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837144567.00000241F8A39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3572867031.000001BAB38C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3572185732.0000025471FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3575866321.0000019B5F103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1901560254.00000241FEF3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806755811.00000241FEF42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3572521463.0000019B5EE8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/user1	firefox.exe, 00000011.00000002.3572521463.0000019B5EEF5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1932410810.00000241FEEEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961833424.00000241FEEF5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1937512669.00000241FF635000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960937960.00000241FFABC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973044546.00000241FFABC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936565947.00000241FFABC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1768230305.00000241F6B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769202382.00000241F6B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768917003.00000241F6B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768495675.00000241F6B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767969991.00000241F6900000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1972388213.00000241FEED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961911140.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932410810.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1945748593.00000241F94E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911455112.00000241F8884000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962720176.00000241F8958000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767969991.00000241F6900000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1938233549.00000241FA46C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1768230305.00000241F6B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769202382.00000241F6B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768917003.00000241F6B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768495675.00000241F6B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767969991.00000241F6900000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1940663854.00000241F9839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962119241.00000241FEE2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945422787.00000241FEE2F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3572867031.000001BAB38C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3572185732.0000025471FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3575866321.0000019B5F103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1937512669.00000241FF690000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1932410810.00000241FEE53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1936565947.00000241FFA9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1972388213.00000241FEED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961911140.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932410810.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3572867031.000001BAB38C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3572185732.0000025471FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3575866321.0000019B5F103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000011.00000002.3572521463.0000019B5EE0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1886466329.00000241F778E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1932410810.00000241FEEEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961833424.00000241FEEF5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1944904281.00000241FF690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929557233.00000241FF690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937512669.00000241FF690000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1932410810.00000241FEE53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3572185732.0000025471FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3572521463.0000019B5EEC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1886466329.00000241F778E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1897257217.00000241F876E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1935699128.0000024200C97000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1937512669.00000241FF635000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1932410810.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000010.00000002.3572185732.0000025471F5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3572521463.0000019B5EE13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1932410810.00000241FEEEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961833424.00000241FEEF5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1937512669.00000241FF649000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1830975504.00000241F956E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1969990937.00000241FA446000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831177852.00000241F8AE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910961819.00000241F8AE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912528559.00000241F73BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930931231.00000241FF0C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777253319.00000241F70F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901560254.00000241FEF26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897257217.00000241F877D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911455112.00000241F8886000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1772375360.00000241F6B47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831873746.00000241F8AF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901560254.00000241FEF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921685865.00000241F9568000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839444142.00000241F73C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938964944.00000241FA43C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937947241.00000241FF0C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946518186.00000241F92DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938964944.00000241FA428000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824261308.00000241F8848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1943321623.000002440003F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1938233549.00000241FA46C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1939286950.00000241F9AE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938233549.00000241FA46C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1945748593.00000241F94E7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1901560254.00000241FEF3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806755811.00000241FEF42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1972388213.00000241FEED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961911140.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932410810.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1972388213.00000241FEED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961911140.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932410810.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1771269249.00000241F6333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1772810151.00000241F6315000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1772926734.00000241F6331000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1938233549.00000241FA46C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1886466329.00000241F778E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1771269249.00000241F6333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1772810151.00000241F6315000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1772926734.00000241F6331000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1944904281.00000241FF690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929557233.00000241FF690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937512669.00000241FF690000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3572867031.000001BAB38C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3572185732.0000025471FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3575866321.0000019B5F103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1932410810.00000241FEE53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1932410810.00000241FEEEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961833424.00000241FEEF5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1767969991.00000241F6900000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1937512669.00000241FF649000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1768230305.00000241F6B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769202382.00000241F6B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768917003.00000241F6B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768495675.00000241F6B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911455112.00000241F8884000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767969991.00000241F6900000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3572266328.000001BAB3700000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3571707114.0000025471DC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3571883284.0000019B5EC00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1932410810.00000241FEEEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961833424.00000241FEEF5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1932410810.00000241FEE53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1932410810.00000241FEEEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961833424.00000241FEEF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945748593.00000241F94E7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1886466329.00000241F778E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/	firefox.exe, 0000000D.00000003.1937512669.00000241FF649000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1771269249.00000241F6333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1772810151.00000241F6315000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1772926734.00000241F6331000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000D.00000003.1932410810.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.1806627790.00000241FEF8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807793037.00000241F7F61000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	firefox.exe, 0000000D.00000003.1932410810.00000241FEED7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.com/firefox/new_tab_learn_more/	firefox.exe, 0000000D.00000003.1932410810.00000241FEE53000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.206.78	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542874
Start date and time:	2024-10-26 19:15:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/39@73/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.208.54.237, 52.13.186.250, 44.231.229.39, 142.250.181.234, 142.250.186.74, 142.250.185.206, 2.22.61.59, 2.22.61.56, 2.18.121.73, 2.18.121.79, 172.217.16.206
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 3612 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
151.101.65.91	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.244.42.1
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.251.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	157.240.251.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.251.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
ATGS-MMD-ASUS	ZnPyVAOUBc.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	34.175.139.104
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_64dc646c-e7c5-4da9-9a61-28d354a0f1a5.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1760830338156945
Encrypted:	false
SSDEEP:	192:rjMXFxScbhbVbTbfbRbObtbyEl7n8rNJA6WnSrDtTUd/SkDr0:rY6cNhnzFSJcrIBnSrDhUd/i
MD5:	039A9845CFDBEE06695415A64A4D4484
SHA1:	D272E8251B47F66439197BAA96E130E8B22D1D19
SHA-256:	93BE3D57E94B16F7A4B9721F3266692D32DBB887B38E6FCA6956FB9C82DBA403
SHA-512:	4FD59F27D643E6E473B2455F5029A4AA16B73C87AA135E090603607DF6D56595BC3C2966CECA26E390EAE698057D798B39D3BB87EC784E9141F3A4153A05BA00
Malicious:	false
Preview:	{"type":"uninstall","id":"64dc646c-e7c5-4da9-9a61-28d354a0f1a5","creationDate":"2024-10-26T19:11:41.823Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_64dc646c-e7c5-4da9-9a61-28d354a0f1a5.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1760830338156945
Encrypted:	false
SSDEEP:	192:rjMXFxScbhbVbTbfbRbObtbyEl7n8rNJA6WnSrDtTUd/SkDr0:rY6cNhnzFSJcrIBnSrDhUd/i
MD5:	039A9845CFDBEE06695415A64A4D4484
SHA1:	D272E8251B47F66439197BAA96E130E8B22D1D19
SHA-256:	93BE3D57E94B16F7A4B9721F3266692D32DBB887B38E6FCA6956FB9C82DBA403
SHA-512:	4FD59F27D643E6E473B2455F5029A4AA16B73C87AA135E090603607DF6D56595BC3C2966CECA26E390EAE698057D798B39D3BB87EC784E9141F3A4153A05BA00
Malicious:	false
Preview:	{"type":"uninstall","id":"64dc646c-e7c5-4da9-9a61-28d354a0f1a5","creationDate":"2024-10-26T19:11:41.823Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.315322673069572
Encrypted:	false
SSDEEP:	24:Wdf8kAjTIUx2dWoM15ShLN8zm/df8kAjswM+bpoqdWoM15ShLFX1RgmFdf8kAj6N:WdygUgdwg8zwdyk6Bdwgs+dyEadwgu1
MD5:	2C05FB34AA5D0D26074D8E31C305682B
SHA1:	36CFDD2C295CD5F14517DA39364997CC4681A1BF
SHA-256:	ECE9E44B32869881372EDAED73288A481BDA3141A9FB62464A720AD5CF10A14F
SHA-512:	02073AA06F466468764EF2B7BDA744ABB04D38AA1D7A63432607BCF5E428951D082F16730562353FD9D37D52A484658F59586F32D9FAEC269C0AE2DC9CE3321A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......jR...'..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IZY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WZY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WZY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........Ea......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.315322673069572
Encrypted:	false
SSDEEP:	24:Wdf8kAjTIUx2dWoM15ShLN8zm/df8kAjswM+bpoqdWoM15ShLFX1RgmFdf8kAj6N:WdygUgdwg8zwdyk6Bdwgs+dyEadwgu1
MD5:	2C05FB34AA5D0D26074D8E31C305682B
SHA1:	36CFDD2C295CD5F14517DA39364997CC4681A1BF
SHA-256:	ECE9E44B32869881372EDAED73288A481BDA3141A9FB62464A720AD5CF10A14F
SHA-512:	02073AA06F466468764EF2B7BDA744ABB04D38AA1D7A63432607BCF5E428951D082F16730562353FD9D37D52A484658F59586F32D9FAEC269C0AE2DC9CE3321A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......jR...'..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IZY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WZY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WZY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........Ea......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MEDVUVLA3HSB55R6S8GH.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.315322673069572
Encrypted:	false
SSDEEP:	24:Wdf8kAjTIUx2dWoM15ShLN8zm/df8kAjswM+bpoqdWoM15ShLFX1RgmFdf8kAj6N:WdygUgdwg8zwdyk6Bdwgs+dyEadwgu1
MD5:	2C05FB34AA5D0D26074D8E31C305682B
SHA1:	36CFDD2C295CD5F14517DA39364997CC4681A1BF
SHA-256:	ECE9E44B32869881372EDAED73288A481BDA3141A9FB62464A720AD5CF10A14F
SHA-512:	02073AA06F466468764EF2B7BDA744ABB04D38AA1D7A63432607BCF5E428951D082F16730562353FD9D37D52A484658F59586F32D9FAEC269C0AE2DC9CE3321A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......jR...'..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IZY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WZY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WZY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........Ea......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VO008HJL8Q25CSV8LH4O.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.315322673069572
Encrypted:	false
SSDEEP:	24:Wdf8kAjTIUx2dWoM15ShLN8zm/df8kAjswM+bpoqdWoM15ShLFX1RgmFdf8kAj6N:WdygUgdwg8zwdyk6Bdwgs+dyEadwgu1
MD5:	2C05FB34AA5D0D26074D8E31C305682B
SHA1:	36CFDD2C295CD5F14517DA39364997CC4681A1BF
SHA-256:	ECE9E44B32869881372EDAED73288A481BDA3141A9FB62464A720AD5CF10A14F
SHA-512:	02073AA06F466468764EF2B7BDA744ABB04D38AA1D7A63432607BCF5E428951D082F16730562353FD9D37D52A484658F59586F32D9FAEC269C0AE2DC9CE3321A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......jR...'..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IZY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WZY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WZY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........Ea......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929521376163892
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNVqr:8S+OfJQPUFpOdwNIOdYVjvYcXaNL7e8P
MD5:	A1AA543B7496370CB3EFEE0E51C680EB
SHA1:	AF28749894F65EED2CD392D0248AC3E5C4E8F5DD
SHA-256:	4E9D4565C7892700999126CBCB53586F0B9B39645F12E19C1A3D74B6AAF94B7A
SHA-512:	D5BCF229D8119737BC05F7DC10DA4D1A2B1518FB6115D2A831280C620CBDE52B2D490E8C2D83FF7EE731816B65E2F928CDE96285B4E2BA8FF2DF71DBAD527C55
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929521376163892
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNVqr:8S+OfJQPUFpOdwNIOdYVjvYcXaNL7e8P
MD5:	A1AA543B7496370CB3EFEE0E51C680EB
SHA1:	AF28749894F65EED2CD392D0248AC3E5C4E8F5DD
SHA-256:	4E9D4565C7892700999126CBCB53586F0B9B39645F12E19C1A3D74B6AAF94B7A
SHA-512:	D5BCF229D8119737BC05F7DC10DA4D1A2B1518FB6115D2A831280C620CBDE52B2D490E8C2D83FF7EE731816B65E2F928CDE96285B4E2BA8FF2DF71DBAD527C55
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733666067446506
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiL:DLhesh7Owd4+ji
MD5:	4F3C6E8C16261FF83109662582373E13
SHA1:	D92BA4965386B3D17825FC77E8D8634AA24A3ADF
SHA-256:	6EF057739E0F30DD39363059B4481110C547E378B311EE7282AECC99BCB53152
SHA-512:	1251004900BF2D6B0E9BC864DF183E7FD7E6EC05659C674EBE574B2CAE65DEBED05CE3F6BD4ADD2F90FF02340F38E3A0D44820CAA617723918BE61EE6EDBB609
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039751381258926154
Encrypted:	false
SSDEEP:	3:GHlhVYnmFPUYHlhVYnmFPe4l8a9//Ylll4llqlyllel4lt:G7VYnm177VYnm1FL9XIwlio
MD5:	5B710C502BD4D6768D34FD75946195A4
SHA1:	E1CE3FFFF2D7BB5065E5D6808C7157986F203E35
SHA-256:	4CE3D2C284F843923A2D070D304B6600BE5699307F262FA2315C3A88689FBC8E
SHA-512:	CB235876D1F56EDF8F6ED3AE611AB75A80377622DF57197C54C88890479A530AED1B9370E0E203D81B91F437CF6361326E18468A8D67F495D758407FE9BD4615
Malicious:	false
Preview:	..-.....................ut68.XZ.\|..f3.Ql....moJ..-.....................ut68.XZ.\|..f3.Ql....moJ........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11749591602457894
Encrypted:	false
SSDEEP:	24:Kofk0LxsZ+GjxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxNqwlyVZ2i7+:zMgQNJtUnWdU+RVx1mZk
MD5:	92AF1A437837E333937A823A81FFEAA8
SHA1:	88AF5F7C4C9FE0BC911387E4ABA733C0566B9D8A
SHA-256:	AA96E45C5B85451C0FA9DDA094439CFBE7376B9CA1D9209D740869856867913B
SHA-512:	25963A6CACEE0A13A34FA2EC0E590913F3F6B2DC81C16D7321AF66FB722B0314DD8BB324DAA0D0D732A216B7389EE505EC7F5A69F6FF89BBC111B64787EEE3D6
Malicious:	false
Preview:	7....-..........\|..f3.Ql<..aZ.g........\|..f3.QlXN..T9..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.496039757213453
Encrypted:	false
SSDEEP:	192:+naRtLYbBp6lhj4qyaaXI6KtbNTR5RfGNBw8dcSl:7eXqsSB5cw30
MD5:	BD426B6E24FA680BC3586112A647506E
SHA1:	5089FA114EDA80E3470F2C22C53AE593E34DCE5F
SHA-256:	1A9F5E48E4724A10454F292ACB6FD0E994FB910D3683A4FC1349E2D56E14720F
SHA-512:	1FBB357977CE57C380E5E7431EC5FB37490CB27B5A9035D6E27AF655C615D845ABED4831C6D7BE872335972DD66E6ACE1D7ED554AE796782D481E2617ED82673
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729969871);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729969871);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729969871);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172996

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.496039757213453
Encrypted:	false
SSDEEP:	192:+naRtLYbBp6lhj4qyaaXI6KtbNTR5RfGNBw8dcSl:7eXqsSB5cw30
MD5:	BD426B6E24FA680BC3586112A647506E
SHA1:	5089FA114EDA80E3470F2C22C53AE593E34DCE5F
SHA-256:	1A9F5E48E4724A10454F292ACB6FD0E994FB910D3683A4FC1349E2D56E14720F
SHA-512:	1FBB357977CE57C380E5E7431EC5FB37490CB27B5A9035D6E27AF655C615D845ABED4831C6D7BE872335972DD66E6ACE1D7ED554AE796782D481E2617ED82673
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729969871);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729969871);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729969871);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172996

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	6.360395450567774
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSN2gLLXnIgs/pnxQwRlszT5sKLZ3eHVQj6TNJamhuCIeJJlOsIomN0:GUpOxELMnR6N3eHTXTJlIq44
MD5:	060FB4DC30BB89A6815F7BA86C1F1545
SHA1:	CB9A5579AA2EE31E822BF9AA2E470FD77E18AAD9
SHA-256:	81B81CAB07A86F9EE945ADF9662C4585CCCAEFCF31DEDF136E8DDA8D07456597
SHA-512:	B3A590CC076077EC3601E3B16F85C72A1BBB4171BD3FC913A10607FCFC988309315887807C4567285AD4882E5CE6406C928F1BFB3BFB38A5F2F2BD2E690E54E8
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{bd7a8ea1-084a-4c1a-b5d2-fe08be295dcf}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729969876285,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l.............1":{..jUpdate...6,"startTim..P41016...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...48418,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	6.360395450567774
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSN2gLLXnIgs/pnxQwRlszT5sKLZ3eHVQj6TNJamhuCIeJJlOsIomN0:GUpOxELMnR6N3eHTXTJlIq44
MD5:	060FB4DC30BB89A6815F7BA86C1F1545
SHA1:	CB9A5579AA2EE31E822BF9AA2E470FD77E18AAD9
SHA-256:	81B81CAB07A86F9EE945ADF9662C4585CCCAEFCF31DEDF136E8DDA8D07456597
SHA-512:	B3A590CC076077EC3601E3B16F85C72A1BBB4171BD3FC913A10607FCFC988309315887807C4567285AD4882E5CE6406C928F1BFB3BFB38A5F2F2BD2E690E54E8
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{bd7a8ea1-084a-4c1a-b5d2-fe08be295dcf}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729969876285,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l.............1":{..jUpdate...6,"startTim..P41016...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...48418,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	6.360395450567774
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSN2gLLXnIgs/pnxQwRlszT5sKLZ3eHVQj6TNJamhuCIeJJlOsIomN0:GUpOxELMnR6N3eHTXTJlIq44
MD5:	060FB4DC30BB89A6815F7BA86C1F1545
SHA1:	CB9A5579AA2EE31E822BF9AA2E470FD77E18AAD9
SHA-256:	81B81CAB07A86F9EE945ADF9662C4585CCCAEFCF31DEDF136E8DDA8D07456597
SHA-512:	B3A590CC076077EC3601E3B16F85C72A1BBB4171BD3FC913A10607FCFC988309315887807C4567285AD4882E5CE6406C928F1BFB3BFB38A5F2F2BD2E690E54E8
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{bd7a8ea1-084a-4c1a-b5d2-fe08be295dcf}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729969876285,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l.............1":{..jUpdate...6,"startTim..P41016...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...48418,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033585321418923
Encrypted:	false
SSDEEP:	48:YrSAYt6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	46D4D34A8FA6F76C12846279D316FC06
SHA1:	4339FF0CA3871888C1503E1B6401D684E38CBE1F
SHA-256:	4143C36712451C28EAF4E7C17C7B8EA1CED9BEDD5651A3D2E12B16DCBBE700E6
SHA-512:	0E6280E17E62622DFB422650946375C1545A11C005B51BB932C0559D8B577C46884D643E0AFE44EE9E6C302017EB3D1DEFF1E75506FBBB4F23BE3713F370FAE0
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-26T19:11:00.854Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033585321418923
Encrypted:	false
SSDEEP:	48:YrSAYt6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	46D4D34A8FA6F76C12846279D316FC06
SHA1:	4339FF0CA3871888C1503E1B6401D684E38CBE1F
SHA-256:	4143C36712451C28EAF4E7C17C7B8EA1CED9BEDD5651A3D2E12B16DCBBE700E6
SHA-512:	0E6280E17E62622DFB422650946375C1545A11C005B51BB932C0559D8B577C46884D643E0AFE44EE9E6C302017EB3D1DEFF1E75506FBBB4F23BE3713F370FAE0
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-26T19:11:00.854Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584697653897185
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	efc94402d2caa77bfd60f0284f19c149
SHA1:	8aaeeb9d5e835b3b7b0d80e5c61426b50562ac38
SHA256:	8a2ded047e3b5d5cf7425e1bc4bc720d2941a736b207191f4b3832d8b3d03fb7
SHA512:	de830c98d98b32ea613ff9b152dc2a1062d391b9fd0247588eb395269f05c0d8e55250e72297a0469a666836760fbcd6cb1635d0a86c7e9222bdf58d5316e0f3
SSDEEP:	12288:WqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TW:WqDEvCTbMWu7rQYlBQcBiT6rprG8abW
TLSH:	88159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671D1A7B [Sat Oct 26 16:36:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE51C7FEFD3h
jmp 00007FE51C7FE8DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE51C7FEABDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE51C7FEA8Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE51C80167Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE51C8016C8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE51C8016B1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	d476b58a657c725fd0a5e6597e7dab6f	False	0.31566455696202533	data	5.3738683404625185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 19:16:49.812439919 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:16:49.812499046 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 19:16:49.819118023 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:16:49.824210882 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:16:49.824227095 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 19:16:50.486598969 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 19:16:50.486607075 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 19:16:50.488379955 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:16:50.497289896 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:16:50.497307062 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 19:16:50.497417927 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:16:50.497524023 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 26, 2024 19:16:50.502573967 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:16:51.793378115 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:51.793431997 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:51.794243097 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:51.795860052 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:51.795876980 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:51.940931082 CEST	49739	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:51.941051960 CEST	443	49739	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:51.944603920 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:51.947108984 CEST	49739	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:51.948636055 CEST	49739	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:51.948673010 CEST	443	49739	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:51.950148106 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:51.951637983 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:51.952369928 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:51.957715988 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:52.624005079 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:52.669328928 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:52.697160959 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:16:52.697257042 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 26, 2024 19:16:52.699326992 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:52.699352980 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:52.700593948 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:16:52.700664043 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:52.700817108 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:16:52.700849056 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 26, 2024 19:16:52.702497959 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:52.702518940 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:52.707694054 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.708731890 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.709944010 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.709964991 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.714287043 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.714302063 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.714369059 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.714550018 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.714848042 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.800081968 CEST	443	49739	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.800159931 CEST	49739	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.801101923 CEST	443	49739	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.802798033 CEST	49739	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.807269096 CEST	49739	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.807281971 CEST	443	49739	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.807421923 CEST	49739	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.807442904 CEST	443	49739	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.807543993 CEST	49739	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.807960033 CEST	49743	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.808001041 CEST	443	49743	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.808162928 CEST	49743	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.809757948 CEST	49743	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:52.809770107 CEST	443	49743	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:52.877156019 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:52.877192974 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:52.878391027 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:52.880630016 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:52.880645990 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:52.882457972 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:52.889928102 CEST	80	49745	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:52.890762091 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:52.890877008 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:52.898283005 CEST	80	49745	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:53.326354027 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.332688093 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.344916105 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 26, 2024 19:16:53.352821112 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:16:53.381000996 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:16:53.381045103 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 26, 2024 19:16:53.381390095 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 26, 2024 19:16:53.384159088 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.384181976 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.384305000 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.384443998 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.384821892 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.384872913 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.387737036 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:16:53.387829065 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:16:53.387942076 CEST	443	49741	35.244.181.201	192.168.2.4
Oct 26, 2024 19:16:53.393160105 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:16:53.393188953 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.393225908 CEST	49741	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:16:53.393254995 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.395710945 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.395725012 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.488377094 CEST	80	49745	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:53.501741886 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.511331081 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.514894962 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.535299063 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:53.553760052 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.553781986 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.553853989 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.554085970 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.554986000 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.662935019 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:53.662971020 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:53.668615103 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:53.669337034 CEST	80	49745	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:53.676342010 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:53.676367998 CEST	49745	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:53.677386045 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 19:16:53.677418947 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 19:16:53.679243088 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 19:16:53.679478884 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 19:16:53.679491997 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 19:16:53.680957079 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.681021929 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.688621044 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:53.693969011 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:53.696178913 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.697227955 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:53.698373079 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:53.698422909 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:53.698585987 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:53.703944921 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:53.709673882 CEST	443	49743	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:53.712212086 CEST	443	49743	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:53.713685036 CEST	49743	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:53.715112925 CEST	49743	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:53.715121031 CEST	443	49743	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:53.720000982 CEST	49743	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:53.720015049 CEST	443	49743	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:53.720094919 CEST	49743	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:53.720274925 CEST	443	49743	216.58.206.78	192.168.2.4
Oct 26, 2024 19:16:53.723570108 CEST	49743	443	192.168.2.4	216.58.206.78
Oct 26, 2024 19:16:54.013736963 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:54.013755083 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:54.016721964 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:54.022243977 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:54.022253036 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:54.022339106 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:54.022440910 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:54.022768974 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:54.291369915 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 19:16:54.295417070 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:54.303105116 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 19:16:54.307800055 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 19:16:54.307825089 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 19:16:54.308078051 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 19:16:54.310587883 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 19:16:54.310681105 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 19:16:54.310746908 CEST	443	49748	34.160.144.191	192.168.2.4
Oct 26, 2024 19:16:54.310832977 CEST	49748	443	192.168.2.4	34.160.144.191
Oct 26, 2024 19:16:54.314007998 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:54.314019918 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:54.315094948 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:54.320219994 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:54.320241928 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:54.320328951 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:54.320681095 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 26, 2024 19:16:54.320740938 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 26, 2024 19:16:54.343522072 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:54.551321983 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:54.556849003 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:54.561084032 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:54.561276913 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:54.566576004 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:54.715337992 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:54.720940113 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:54.840709925 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:54.886481047 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:54.996753931 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:55.047094107 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:55.063131094 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:55.063482046 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:55.445502996 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:55.451137066 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:55.461173058 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:55.461173058 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:16:55.466474056 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:56.056538105 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:16:56.109882116 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:00.457690954 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:00.457747936 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:00.469310045 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:00.469569921 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:00.469583988 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:00.474184036 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:00.479537964 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:00.481498003 CEST	49757	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:00.481528997 CEST	443	49757	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:00.481848955 CEST	49757	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:00.483345032 CEST	49757	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:00.483359098 CEST	443	49757	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:00.506383896 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:00.506442070 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:00.508640051 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:00.510195971 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:00.510224104 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:00.511599064 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:00.511629105 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:00.517503977 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:00.519082069 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:00.519097090 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:00.599406004 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:00.639938116 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:01.080151081 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:01.080168009 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:01.080249071 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:01.083214045 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:01.083221912 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:01.083530903 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:01.086049080 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:01.086183071 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:01.086246967 CEST	443	49756	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:01.086324930 CEST	49756	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:01.109842062 CEST	443	49757	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:01.110793114 CEST	49757	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:01.115590096 CEST	49757	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:01.115608931 CEST	443	49757	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:01.115729094 CEST	49757	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:01.115871906 CEST	443	49757	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:01.115931988 CEST	49757	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:01.140219927 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:01.140307903 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:01.145548105 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:01.145567894 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:01.145642996 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:01.145853996 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:01.145935059 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:01.197685003 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:01.197861910 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.203304052 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.203326941 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:01.203527927 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.203663111 CEST	443	49758	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:01.203795910 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.203854084 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:01.203999043 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.204035997 CEST	49758	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.205383062 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.205410004 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:01.813579082 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:01.813653946 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.819008112 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.819031000 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:01.819092035 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:01.819178104 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:01.819222927 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:05.223016024 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:05.228559017 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:05.347831964 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:05.410298109 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:05.900248051 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:05.905612946 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:06.025693893 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:06.074162006 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:06.481779099 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:06.481833935 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:06.481970072 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:06.483371019 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:06.483388901 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:06.749835968 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:06.755358934 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:06.875159979 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:06.930301905 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:07.115772963 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:07.115925074 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:07.138704062 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:07.138725996 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:07.138866901 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:07.139246941 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:07.139333963 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.266896963 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:08.270091057 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.270236969 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.272742987 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:08.273159027 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.274588108 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.274619102 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.283761978 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.283803940 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.285244942 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.285444021 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.285463095 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.359568119 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:08.359627962 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:08.359972954 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.360064030 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.361296892 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:08.361545086 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.362757921 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:08.362771988 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:08.362920046 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.362956047 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.392477989 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:08.434299946 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:08.567220926 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:08.572757006 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:08.692579031 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:08.735171080 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:08.899749994 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.901362896 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.906205893 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.906306982 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.976753950 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:08.976969004 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:08.978804111 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.978895903 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.979199886 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.980330944 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.980489969 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.983674049 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.983688116 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.983958006 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.984833002 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.984864950 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.984911919 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:08.985430956 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:08.987607002 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.020391941 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.036012888 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.049062014 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:09.050189972 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.050261974 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.050435066 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.051031113 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:09.051050901 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:09.051099062 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:09.051274061 CEST	443	49769	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:09.051341057 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.051386118 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.051820993 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.054035902 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.054047108 CEST	49769	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:09.054090977 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.054498911 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:09.174391985 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:09.204921007 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.204968929 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.208703041 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.208889008 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.208898067 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.216279030 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:09.220976114 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:09.221673012 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:09.229254007 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.229281902 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.230556011 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.230668068 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.230676889 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.232042074 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.232062101 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.232486963 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.233843088 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.233853102 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.341265917 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:09.383789062 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:09.824892044 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.825503111 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.828643084 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.828656912 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.829432011 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.831304073 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.831454992 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.831690073 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.832086086 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.833997011 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:09.839421988 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:09.840044022 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.841274977 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.844244957 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.844259024 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.844558954 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.846430063 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.846513033 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.846611977 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.852099895 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.852125883 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.854883909 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.855070114 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.864432096 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.864450932 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.864521027 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.864731073 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.865602970 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.868798018 CEST	49775	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.868832111 CEST	443	49775	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.869620085 CEST	49775	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.871220112 CEST	49775	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:09.871232986 CEST	443	49775	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:09.959814072 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:09.962657928 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:09.968117952 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.001123905 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:10.087393999 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.104454041 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:10.110032082 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.139359951 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:10.230093956 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.233108044 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:10.238619089 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.270756960 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:10.357886076 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.402268887 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:10.492089987 CEST	443	49775	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:10.492166042 CEST	49775	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:10.497001886 CEST	49775	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:10.497010946 CEST	443	49775	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:10.497092962 CEST	49775	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:10.497169018 CEST	443	49775	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:10.497697115 CEST	49775	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:10.499645948 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:10.502213955 CEST	49776	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:10.502252102 CEST	443	49776	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:10.502415895 CEST	49776	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:10.503746033 CEST	49776	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:10.503761053 CEST	443	49776	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:10.505122900 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.625143051 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.628151894 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:10.634573936 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.671921015 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:10.755012035 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:10.803462982 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:11.125252962 CEST	443	49776	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:11.125338078 CEST	49776	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:11.130227089 CEST	49776	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:11.130235910 CEST	443	49776	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:11.130326033 CEST	49776	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:11.130388021 CEST	443	49776	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:11.131670952 CEST	49776	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:11.133227110 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:11.138621092 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:11.231966019 CEST	49777	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:11.232006073 CEST	443	49777	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:11.232341051 CEST	49777	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:11.233628035 CEST	49777	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:11.233639956 CEST	443	49777	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:11.260730982 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:11.266815901 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:11.272264957 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:11.304958105 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:11.392074108 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:11.442986965 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:11.843859911 CEST	443	49777	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:11.843945026 CEST	49777	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:11.848139048 CEST	49777	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:11.848155022 CEST	443	49777	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:11.848218918 CEST	49777	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:11.848520041 CEST	443	49777	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:11.849005938 CEST	49777	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:11.850635052 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:11.856040955 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:11.975944996 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:11.978869915 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:11.984251022 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:12.029027939 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:12.103599072 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:12.144921064 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:18.579189062 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:18.579248905 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:18.583153963 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:18.583254099 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:18.583261967 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:18.602245092 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:18.602271080 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:18.614598989 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:18.614897966 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:18.614913940 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:18.615780115 CEST	49780	443	192.168.2.4	151.101.65.91
Oct 26, 2024 19:17:18.615822077 CEST	443	49780	151.101.65.91	192.168.2.4
Oct 26, 2024 19:17:18.616554022 CEST	49780	443	192.168.2.4	151.101.65.91
Oct 26, 2024 19:17:18.616864920 CEST	49780	443	192.168.2.4	151.101.65.91
Oct 26, 2024 19:17:18.616879940 CEST	443	49780	151.101.65.91	192.168.2.4
Oct 26, 2024 19:17:18.641935110 CEST	49781	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:17:18.642014027 CEST	443	49781	35.190.72.216	192.168.2.4
Oct 26, 2024 19:17:18.642389059 CEST	49781	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:17:18.643816948 CEST	49781	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:17:18.643851995 CEST	443	49781	35.190.72.216	192.168.2.4
Oct 26, 2024 19:17:18.663873911 CEST	49782	443	192.168.2.4	35.201.103.21
Oct 26, 2024 19:17:18.663913012 CEST	443	49782	35.201.103.21	192.168.2.4
Oct 26, 2024 19:17:18.667994022 CEST	49782	443	192.168.2.4	35.201.103.21
Oct 26, 2024 19:17:18.669312954 CEST	49782	443	192.168.2.4	35.201.103.21
Oct 26, 2024 19:17:18.669326067 CEST	443	49782	35.201.103.21	192.168.2.4
Oct 26, 2024 19:17:19.204407930 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.207370043 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.210769892 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.210788012 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.211568117 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.213537931 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.213634014 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.213957071 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.214485884 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.217766047 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:19.223521948 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:19.234884024 CEST	443	49780	151.101.65.91	192.168.2.4
Oct 26, 2024 19:17:19.238066912 CEST	49780	443	192.168.2.4	151.101.65.91
Oct 26, 2024 19:17:19.238358974 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:19.238394022 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:19.238504887 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:19.241300106 CEST	49780	443	192.168.2.4	151.101.65.91
Oct 26, 2024 19:17:19.241307020 CEST	443	49780	151.101.65.91	192.168.2.4
Oct 26, 2024 19:17:19.241555929 CEST	443	49780	151.101.65.91	192.168.2.4
Oct 26, 2024 19:17:19.244056940 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:19.244066954 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:19.244348049 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:19.246870041 CEST	49780	443	192.168.2.4	151.101.65.91
Oct 26, 2024 19:17:19.246961117 CEST	49780	443	192.168.2.4	151.101.65.91
Oct 26, 2024 19:17:19.247030020 CEST	443	49780	151.101.65.91	192.168.2.4
Oct 26, 2024 19:17:19.247184038 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:19.247229099 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:19.247337103 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:19.247358084 CEST	49780	443	192.168.2.4	151.101.65.91
Oct 26, 2024 19:17:19.247569084 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:19.253223896 CEST	443	49781	35.190.72.216	192.168.2.4
Oct 26, 2024 19:17:19.254978895 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.255007982 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.255259991 CEST	49781	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:17:19.255265951 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.257566929 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.257580996 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.258058071 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.258091927 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.258562088 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.258766890 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.258780956 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.260292053 CEST	49781	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:17:19.260345936 CEST	443	49781	35.190.72.216	192.168.2.4
Oct 26, 2024 19:17:19.260379076 CEST	49781	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:17:19.260545969 CEST	443	49781	35.190.72.216	192.168.2.4
Oct 26, 2024 19:17:19.260813951 CEST	49781	443	192.168.2.4	35.190.72.216
Oct 26, 2024 19:17:19.263056993 CEST	49785	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.263094902 CEST	443	49785	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.264504910 CEST	49785	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.264723063 CEST	49785	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.264731884 CEST	443	49785	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.307014942 CEST	443	49782	35.201.103.21	192.168.2.4
Oct 26, 2024 19:17:19.307451963 CEST	49782	443	192.168.2.4	35.201.103.21
Oct 26, 2024 19:17:19.311351061 CEST	49782	443	192.168.2.4	35.201.103.21
Oct 26, 2024 19:17:19.311381102 CEST	443	49782	35.201.103.21	192.168.2.4
Oct 26, 2024 19:17:19.311433077 CEST	49782	443	192.168.2.4	35.201.103.21
Oct 26, 2024 19:17:19.311886072 CEST	443	49782	35.201.103.21	192.168.2.4
Oct 26, 2024 19:17:19.312551975 CEST	49782	443	192.168.2.4	35.201.103.21
Oct 26, 2024 19:17:19.330503941 CEST	49786	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:19.330533981 CEST	443	49786	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:19.330702066 CEST	49786	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:19.330702066 CEST	49786	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:19.330729961 CEST	443	49786	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:19.342634916 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:19.345273018 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:19.350651979 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:19.387690067 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:19.470305920 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:19.519321918 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:19.874018908 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.874124050 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.878159046 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.878166914 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.878978968 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.880852938 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.881041050 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.881040096 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.881128073 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.881378889 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.883553028 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.883563995 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.883965015 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.885976076 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.886126041 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.886188030 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.886315107 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.886646032 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.888266087 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:19.893676996 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:19.905706882 CEST	443	49785	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.905786037 CEST	49785	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.908309937 CEST	49785	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.908315897 CEST	443	49785	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.908531904 CEST	443	49785	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.910403967 CEST	49785	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.910490036 CEST	49785	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.910523891 CEST	443	49785	35.244.181.201	192.168.2.4
Oct 26, 2024 19:17:19.911621094 CEST	49785	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:19.911633015 CEST	49785	443	192.168.2.4	35.244.181.201
Oct 26, 2024 19:17:20.013636112 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:20.020529985 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:20.026658058 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:20.058506966 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:20.127821922 CEST	443	49786	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:20.127912045 CEST	49786	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:20.130913973 CEST	49786	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:20.130924940 CEST	443	49786	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:20.131262064 CEST	443	49786	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:20.133172989 CEST	49786	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:20.133254051 CEST	49786	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:20.133358002 CEST	443	49786	34.149.100.209	192.168.2.4
Oct 26, 2024 19:17:20.134327888 CEST	49786	443	192.168.2.4	34.149.100.209
Oct 26, 2024 19:17:20.136089087 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:20.141457081 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:20.145919085 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:20.190001965 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:20.261106014 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:20.263875008 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:20.269326925 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:20.305915117 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:20.388796091 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:20.443974018 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:21.864016056 CEST	49788	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:21.864057064 CEST	443	49788	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:21.864859104 CEST	49788	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:21.866206884 CEST	49788	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:21.866221905 CEST	443	49788	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:22.480190992 CEST	443	49788	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:22.480304003 CEST	49788	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:22.488627911 CEST	49788	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:22.488641977 CEST	443	49788	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:22.488712072 CEST	49788	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:22.488924026 CEST	443	49788	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:22.489295006 CEST	49788	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:22.491251945 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:22.496759892 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:22.616255999 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:22.619138956 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:22.624667883 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:22.666115046 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:22.744570971 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:22.797593117 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:32.624749899 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:32.630271912 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:32.756396055 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:32.762128115 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:42.639046907 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:42.644335032 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:42.767343044 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:42.772609949 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:42.943237066 CEST	49815	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:42.943295956 CEST	443	49815	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:42.944003105 CEST	49815	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:42.946074963 CEST	49815	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:42.946105957 CEST	443	49815	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:43.566931963 CEST	443	49815	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:43.567078114 CEST	49815	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:43.572963953 CEST	49815	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:43.572983980 CEST	443	49815	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:43.573136091 CEST	49815	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:43.573220968 CEST	443	49815	34.107.243.93	192.168.2.4
Oct 26, 2024 19:17:43.573744059 CEST	49815	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:17:43.577147961 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:43.583271980 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:43.703139067 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:43.706618071 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:43.712762117 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:43.754707098 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:43.842137098 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:43.886445999 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:49.111501932 CEST	49851	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.111555099 CEST	443	49851	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.112246990 CEST	49851	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.112684965 CEST	49851	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.112709999 CEST	443	49851	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.210160971 CEST	49852	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.210220098 CEST	443	49852	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.210472107 CEST	49853	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.210557938 CEST	443	49853	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.217763901 CEST	49852	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.217938900 CEST	49853	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.218100071 CEST	49852	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.218113899 CEST	443	49852	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.218205929 CEST	49853	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.218225956 CEST	443	49853	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.746843100 CEST	443	49851	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.747212887 CEST	49851	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.750994921 CEST	49851	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.751008034 CEST	443	49851	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.751266003 CEST	443	49851	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.753987074 CEST	49851	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.753987074 CEST	49851	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.754329920 CEST	443	49851	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.754424095 CEST	49851	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.758002043 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:49.763325930 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:49.832273960 CEST	443	49852	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.832293987 CEST	443	49852	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.832473040 CEST	49852	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.836489916 CEST	49852	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.836504936 CEST	443	49852	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.836990118 CEST	443	49852	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.839195967 CEST	49852	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.839308023 CEST	49852	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.839413881 CEST	443	49852	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.840111017 CEST	49852	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.850157022 CEST	443	49853	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.850195885 CEST	443	49853	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.850270987 CEST	49853	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.854232073 CEST	49853	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.854260921 CEST	443	49853	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.854587078 CEST	443	49853	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.857150078 CEST	49853	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.857270002 CEST	49853	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.857338905 CEST	443	49853	34.120.208.123	192.168.2.4
Oct 26, 2024 19:17:49.858210087 CEST	49853	443	192.168.2.4	34.120.208.123
Oct 26, 2024 19:17:49.893090963 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:49.896614075 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:49.901967049 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:49.948004007 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:50.031095028 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:17:50.079510927 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:59.904711008 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:17:59.910482883 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:00.036279917 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:00.042613983 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:09.919455051 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:09.925177097 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:10.050806999 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:10.056269884 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:19.932452917 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:19.938168049 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:20.063874960 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:20.069448948 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:23.658626080 CEST	50040	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:18:23.658694029 CEST	443	50040	34.107.243.93	192.168.2.4
Oct 26, 2024 19:18:23.667330027 CEST	50040	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:18:23.668931007 CEST	50040	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:18:23.668982029 CEST	443	50040	34.107.243.93	192.168.2.4
Oct 26, 2024 19:18:24.292264938 CEST	443	50040	34.107.243.93	192.168.2.4
Oct 26, 2024 19:18:24.292285919 CEST	443	50040	34.107.243.93	192.168.2.4
Oct 26, 2024 19:18:24.292903900 CEST	50040	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:18:24.298290014 CEST	50040	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:18:24.298322916 CEST	443	50040	34.107.243.93	192.168.2.4
Oct 26, 2024 19:18:24.298399925 CEST	50040	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:18:24.298532963 CEST	443	50040	34.107.243.93	192.168.2.4
Oct 26, 2024 19:18:24.298607111 CEST	50040	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:18:24.301018000 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:24.306806087 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:24.426429987 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:24.430318117 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:24.435663939 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:24.476650953 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:24.555013895 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:24.608144045 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:34.434999943 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:34.440802097 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:34.557347059 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:34.562944889 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:44.449470997 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:44.455075979 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:44.564775944 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:44.570337057 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:54.461010933 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:54.466552973 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:18:54.576946974 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:18:54.582678080 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:04.475518942 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:04.481328011 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:04.591370106 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:04.597474098 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:14.488707066 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:14.494503975 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:14.620189905 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:14.625654936 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:24.509090900 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:24.515151978 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:24.640234947 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:24.646440029 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:34.527251959 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:34.532941103 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:34.658994913 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:34.664654970 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:44.345431089 CEST	50060	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:19:44.345521927 CEST	443	50060	34.107.243.93	192.168.2.4
Oct 26, 2024 19:19:44.346052885 CEST	50060	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:19:44.347958088 CEST	50060	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:19:44.348011971 CEST	443	50060	34.107.243.93	192.168.2.4
Oct 26, 2024 19:19:44.539561033 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:44.545629025 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:44.677635908 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:44.683526993 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:44.976218939 CEST	443	50060	34.107.243.93	192.168.2.4
Oct 26, 2024 19:19:44.976681948 CEST	50060	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:19:44.983460903 CEST	50060	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:19:44.983462095 CEST	50060	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:19:44.983499050 CEST	443	50060	34.107.243.93	192.168.2.4
Oct 26, 2024 19:19:44.984236956 CEST	443	50060	34.107.243.93	192.168.2.4
Oct 26, 2024 19:19:44.986437082 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:44.992079973 CEST	50060	443	192.168.2.4	34.107.243.93
Oct 26, 2024 19:19:44.992281914 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:45.112106085 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:45.118400097 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:45.124437094 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:45.163830996 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 26, 2024 19:19:45.244462013 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 26, 2024 19:19:45.295087099 CEST	49753	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 19:16:49.825871944 CEST	64527	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:49.834270954 CEST	53	64527	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:49.838717937 CEST	56592	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:49.846594095 CEST	53	56592	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:51.782027006 CEST	51504	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:51.782155037 CEST	53188	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:51.789733887 CEST	53	53188	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:51.793694019 CEST	64189	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:51.795200109 CEST	49485	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:51.800825119 CEST	53	64189	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:51.801637888 CEST	53076	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:51.802365065 CEST	53	49485	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:51.802923918 CEST	57794	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:51.809336901 CEST	53	53076	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:51.810956001 CEST	53	57794	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.687398911 CEST	49502	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.692667007 CEST	65074	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.695242882 CEST	53	49502	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.699435949 CEST	56765	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.700692892 CEST	53	65074	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.706763029 CEST	62287	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.706763029 CEST	49579	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.706938982 CEST	53	56765	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.715193033 CEST	53	49579	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.715208054 CEST	53	62287	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.717924118 CEST	57630	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.718759060 CEST	64109	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.726123095 CEST	53	57630	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.727396965 CEST	53	64109	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.848018885 CEST	50966	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.849148035 CEST	52000	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.857426882 CEST	53	50966	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.877720118 CEST	64780	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.887573957 CEST	53	64780	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:52.911819935 CEST	51490	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:52.920207024 CEST	53	51490	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:53.658535004 CEST	49233	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:53.666203976 CEST	53	49233	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:53.678235054 CEST	51096	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:53.686463118 CEST	53	51096	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:53.698971033 CEST	52047	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:53.706839085 CEST	53	52047	1.1.1.1	192.168.2.4
Oct 26, 2024 19:16:55.783847094 CEST	51269	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:16:55.812563896 CEST	53	65085	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.445338964 CEST	58588	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.452507973 CEST	53	58588	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.454853058 CEST	51136	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.462779045 CEST	53	51136	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.472764969 CEST	55678	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.477049112 CEST	61552	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.480581045 CEST	53	55678	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.481772900 CEST	51059	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.484227896 CEST	58178	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.484633923 CEST	53	61552	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.485358000 CEST	51073	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.485765934 CEST	62044	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.489276886 CEST	53	51059	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.492598057 CEST	59132	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.493470907 CEST	53	58178	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.493545055 CEST	53	51073	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.493580103 CEST	53	62044	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.499950886 CEST	53	59132	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.502948046 CEST	64865	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.506850958 CEST	51406	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.510696888 CEST	53	64865	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.514386892 CEST	53	51406	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:00.520140886 CEST	64760	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:00.527597904 CEST	53	64760	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.133563042 CEST	64982	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.141345024 CEST	53	64982	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.770278931 CEST	59046	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.770862103 CEST	49767	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.771194935 CEST	57663	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.777920961 CEST	53	59046	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.778867006 CEST	53	49767	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.779357910 CEST	53	57663	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.779905081 CEST	57010	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.787807941 CEST	53	57010	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.794496059 CEST	64425	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.794523954 CEST	57078	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.794725895 CEST	50198	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.802218914 CEST	53	57078	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.802738905 CEST	62416	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.803256035 CEST	53	64425	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.803294897 CEST	53	50198	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.803688049 CEST	53480	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.803864002 CEST	65389	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.810714960 CEST	53	62416	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.811265945 CEST	56057	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.811342001 CEST	53	53480	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.811362028 CEST	53	65389	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.812031984 CEST	59538	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.819224119 CEST	53	56057	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.819904089 CEST	53	59538	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.822242975 CEST	56984	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.822290897 CEST	59938	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.830224991 CEST	53	59938	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.830262899 CEST	53	56984	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:06.830689907 CEST	49932	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:06.838687897 CEST	53	49932	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:11.232098103 CEST	54532	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:11.240266085 CEST	53	54532	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:18.579910040 CEST	63553	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:18.588562012 CEST	53	63553	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:18.589256048 CEST	58228	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:18.596549034 CEST	53	58228	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:18.600790024 CEST	60751	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:18.608555079 CEST	53	60751	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:18.616298914 CEST	52490	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:18.625416040 CEST	53	52490	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:18.627712965 CEST	56247	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:18.635122061 CEST	53	56247	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:18.654239893 CEST	51005	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:18.662798882 CEST	53	51005	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:18.664609909 CEST	56972	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:18.673309088 CEST	53	56972	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:18.675409079 CEST	53356	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:18.683907032 CEST	53	53356	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:21.853760004 CEST	54380	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:21.860975027 CEST	53	54380	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:21.864156961 CEST	58980	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:21.871390104 CEST	53	58980	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:22.491112947 CEST	57702	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:42.944039106 CEST	54413	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:42.951682091 CEST	53	54413	1.1.1.1	192.168.2.4
Oct 26, 2024 19:17:49.145629883 CEST	50046	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:17:49.153985023 CEST	53	50046	1.1.1.1	192.168.2.4
Oct 26, 2024 19:18:23.649126053 CEST	60745	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:18:23.657008886 CEST	53	60745	1.1.1.1	192.168.2.4
Oct 26, 2024 19:18:23.657947063 CEST	62657	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:18:23.667581081 CEST	53	62657	1.1.1.1	192.168.2.4
Oct 26, 2024 19:18:24.301395893 CEST	65499	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:19:44.327208996 CEST	54200	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:19:44.335009098 CEST	53	54200	1.1.1.1	192.168.2.4
Oct 26, 2024 19:19:44.336185932 CEST	60846	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:19:44.344181061 CEST	53	60846	1.1.1.1	192.168.2.4
Oct 26, 2024 19:19:44.345057011 CEST	55654	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:19:44.352772951 CEST	53	55654	1.1.1.1	192.168.2.4
Oct 26, 2024 19:19:44.987773895 CEST	54319	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:19:44.997241974 CEST	60767	53	192.168.2.4	1.1.1.1
Oct 26, 2024 19:19:45.005259037 CEST	53	60767	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 19:16:49.825871944 CEST	192.168.2.4	1.1.1.1	0x85bb	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:49.838717937 CEST	192.168.2.4	1.1.1.1	0xa4e4	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 19:16:51.782027006 CEST	192.168.2.4	1.1.1.1	0x2207	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:51.782155037 CEST	192.168.2.4	1.1.1.1	0x747	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:51.793694019 CEST	192.168.2.4	1.1.1.1	0x1836	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:51.795200109 CEST	192.168.2.4	1.1.1.1	0x3bf3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:51.801637888 CEST	192.168.2.4	1.1.1.1	0xe7f8	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 26, 2024 19:16:51.802923918 CEST	192.168.2.4	1.1.1.1	0xe5f9	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 19:16:52.687398911 CEST	192.168.2.4	1.1.1.1	0x758b	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.692667007 CEST	192.168.2.4	1.1.1.1	0x9f00	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.699435949 CEST	192.168.2.4	1.1.1.1	0x87e7	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.706763029 CEST	192.168.2.4	1.1.1.1	0x1442	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.706763029 CEST	192.168.2.4	1.1.1.1	0xc3dd	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.717924118 CEST	192.168.2.4	1.1.1.1	0x8c9d	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:16:52.718759060 CEST	192.168.2.4	1.1.1.1	0xd43f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 19:16:52.848018885 CEST	192.168.2.4	1.1.1.1	0xaf	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.849148035 CEST	192.168.2.4	1.1.1.1	0xb223	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.877720118 CEST	192.168.2.4	1.1.1.1	0x55c6	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.911819935 CEST	192.168.2.4	1.1.1.1	0x3a6c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 19:16:53.658535004 CEST	192.168.2.4	1.1.1.1	0xb1fc	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:53.678235054 CEST	192.168.2.4	1.1.1.1	0x8e09	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:53.698971033 CEST	192.168.2.4	1.1.1.1	0x4b20	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 19:16:55.783847094 CEST	192.168.2.4	1.1.1.1	0x27bb	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.445338964 CEST	192.168.2.4	1.1.1.1	0xa0ba	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 19:17:00.454853058 CEST	192.168.2.4	1.1.1.1	0x391e	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.472764969 CEST	192.168.2.4	1.1.1.1	0x165d	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.477049112 CEST	192.168.2.4	1.1.1.1	0xb2fe	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.481772900 CEST	192.168.2.4	1.1.1.1	0x256a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.484227896 CEST	192.168.2.4	1.1.1.1	0x4909	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 19:17:00.485358000 CEST	192.168.2.4	1.1.1.1	0x466c	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.485765934 CEST	192.168.2.4	1.1.1.1	0xe784	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.492598057 CEST	192.168.2.4	1.1.1.1	0xdfd2	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:00.502948046 CEST	192.168.2.4	1.1.1.1	0xc213	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:00.506850958 CEST	192.168.2.4	1.1.1.1	0xf20c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.520140886 CEST	192.168.2.4	1.1.1.1	0xf912	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 19:17:06.133563042 CEST	192.168.2.4	1.1.1.1	0xa916	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:06.770278931 CEST	192.168.2.4	1.1.1.1	0x4c4d	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.770862103 CEST	192.168.2.4	1.1.1.1	0xbc48	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.771194935 CEST	192.168.2.4	1.1.1.1	0x9927	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.779905081 CEST	192.168.2.4	1.1.1.1	0x9575	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.794496059 CEST	192.168.2.4	1.1.1.1	0xf88e	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.794523954 CEST	192.168.2.4	1.1.1.1	0xadb5	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.794725895 CEST	192.168.2.4	1.1.1.1	0x3202	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:06.802738905 CEST	192.168.2.4	1.1.1.1	0xadc3	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:06.803688049 CEST	192.168.2.4	1.1.1.1	0x452e	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 26, 2024 19:17:06.803864002 CEST	192.168.2.4	1.1.1.1	0xecbb	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.811265945 CEST	192.168.2.4	1.1.1.1	0xdda	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.812031984 CEST	192.168.2.4	1.1.1.1	0xc988	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.822242975 CEST	192.168.2.4	1.1.1.1	0xa6e	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 26, 2024 19:17:06.822290897 CEST	192.168.2.4	1.1.1.1	0x74c	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.830689907 CEST	192.168.2.4	1.1.1.1	0xf0b1	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:11.232098103 CEST	192.168.2.4	1.1.1.1	0x4060	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:18.579910040 CEST	192.168.2.4	1.1.1.1	0xc03d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.589256048 CEST	192.168.2.4	1.1.1.1	0x947	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 26, 2024 19:17:18.600790024 CEST	192.168.2.4	1.1.1.1	0xf4aa	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.616298914 CEST	192.168.2.4	1.1.1.1	0xf57a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.627712965 CEST	192.168.2.4	1.1.1.1	0xc023	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 26, 2024 19:17:18.654239893 CEST	192.168.2.4	1.1.1.1	0xff64	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.664609909 CEST	192.168.2.4	1.1.1.1	0x4017	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.675409079 CEST	192.168.2.4	1.1.1.1	0x772c	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:21.853760004 CEST	192.168.2.4	1.1.1.1	0x56e7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:21.864156961 CEST	192.168.2.4	1.1.1.1	0xecfa	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:22.491112947 CEST	192.168.2.4	1.1.1.1	0x24de	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:42.944039106 CEST	192.168.2.4	1.1.1.1	0xd949	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:17:49.145629883 CEST	192.168.2.4	1.1.1.1	0x49a8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:18:23.649126053 CEST	192.168.2.4	1.1.1.1	0xe21d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:18:23.657947063 CEST	192.168.2.4	1.1.1.1	0x635c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:18:24.301395893 CEST	192.168.2.4	1.1.1.1	0x5a4e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:19:44.327208996 CEST	192.168.2.4	1.1.1.1	0xa41b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:19:44.336185932 CEST	192.168.2.4	1.1.1.1	0x59d7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:19:44.345057011 CEST	192.168.2.4	1.1.1.1	0x3940	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 26, 2024 19:19:44.987773895 CEST	192.168.2.4	1.1.1.1	0xa72a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:19:44.997241974 CEST	192.168.2.4	1.1.1.1	0x31d8	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 19:16:49.790232897 CEST	1.1.1.1	192.168.2.4	0x8cb	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:49.834270954 CEST	1.1.1.1	192.168.2.4	0x85bb	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:51.789733887 CEST	1.1.1.1	192.168.2.4	0x747	No error (0)	youtube.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:51.789978981 CEST	1.1.1.1	192.168.2.4	0x2207	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:16:51.789978981 CEST	1.1.1.1	192.168.2.4	0x2207	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:51.800825119 CEST	1.1.1.1	192.168.2.4	0x1836	No error (0)	youtube.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:51.802365065 CEST	1.1.1.1	192.168.2.4	0x3bf3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:51.809336901 CEST	1.1.1.1	192.168.2.4	0xe7f8	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 26, 2024 19:16:51.810956001 CEST	1.1.1.1	192.168.2.4	0xe5f9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 26, 2024 19:16:52.692131996 CEST	1.1.1.1	192.168.2.4	0x8c07	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:16:52.692131996 CEST	1.1.1.1	192.168.2.4	0x8c07	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.695242882 CEST	1.1.1.1	192.168.2.4	0x758b	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.700692892 CEST	1.1.1.1	192.168.2.4	0x9f00	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.706938982 CEST	1.1.1.1	192.168.2.4	0x87e7	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.706938982 CEST	1.1.1.1	192.168.2.4	0x87e7	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.715193033 CEST	1.1.1.1	192.168.2.4	0xc3dd	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.715208054 CEST	1.1.1.1	192.168.2.4	0x1442	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.857426882 CEST	1.1.1.1	192.168.2.4	0xaf	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:16:52.857426882 CEST	1.1.1.1	192.168.2.4	0xaf	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.858704090 CEST	1.1.1.1	192.168.2.4	0xb223	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:16:52.858704090 CEST	1.1.1.1	192.168.2.4	0xb223	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:52.887573957 CEST	1.1.1.1	192.168.2.4	0x55c6	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:53.666203976 CEST	1.1.1.1	192.168.2.4	0xb1fc	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:16:53.666203976 CEST	1.1.1.1	192.168.2.4	0xb1fc	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:16:53.666203976 CEST	1.1.1.1	192.168.2.4	0xb1fc	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:53.686463118 CEST	1.1.1.1	192.168.2.4	0x8e09	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:16:53.706839085 CEST	1.1.1.1	192.168.2.4	0x4b20	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 26, 2024 19:16:55.792148113 CEST	1.1.1.1	192.168.2.4	0x27bb	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:00.452333927 CEST	1.1.1.1	192.168.2.4	0x4484	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:00.452333927 CEST	1.1.1.1	192.168.2.4	0x4484	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.462779045 CEST	1.1.1.1	192.168.2.4	0x391e	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:00.462779045 CEST	1.1.1.1	192.168.2.4	0x391e	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:00.462779045 CEST	1.1.1.1	192.168.2.4	0x391e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.479978085 CEST	1.1.1.1	192.168.2.4	0xe061	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.480581045 CEST	1.1.1.1	192.168.2.4	0x165d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.484633923 CEST	1.1.1.1	192.168.2.4	0xb2fe	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.489276886 CEST	1.1.1.1	192.168.2.4	0x256a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.493545055 CEST	1.1.1.1	192.168.2.4	0x466c	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:00.493545055 CEST	1.1.1.1	192.168.2.4	0x466c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.493580103 CEST	1.1.1.1	192.168.2.4	0xe784	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:00.514386892 CEST	1.1.1.1	192.168.2.4	0xf20c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.140650034 CEST	1.1.1.1	192.168.2.4	0xda7b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.777920961 CEST	1.1.1.1	192.168.2.4	0x4c4d	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.778867006 CEST	1.1.1.1	192.168.2.4	0xbc48	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:06.778867006 CEST	1.1.1.1	192.168.2.4	0xbc48	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.779357910 CEST	1.1.1.1	192.168.2.4	0x9927	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:06.779357910 CEST	1.1.1.1	192.168.2.4	0x9927	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.787807941 CEST	1.1.1.1	192.168.2.4	0x9575	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.802218914 CEST	1.1.1.1	192.168.2.4	0xadb5	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.803256035 CEST	1.1.1.1	192.168.2.4	0xf88e	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.803294897 CEST	1.1.1.1	192.168.2.4	0x3202	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 26, 2024 19:17:06.810714960 CEST	1.1.1.1	192.168.2.4	0xadc3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 19:17:06.810714960 CEST	1.1.1.1	192.168.2.4	0xadc3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 19:17:06.810714960 CEST	1.1.1.1	192.168.2.4	0xadc3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 19:17:06.810714960 CEST	1.1.1.1	192.168.2.4	0xadc3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 26, 2024 19:17:06.811342001 CEST	1.1.1.1	192.168.2.4	0x452e	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 26, 2024 19:17:06.811362028 CEST	1.1.1.1	192.168.2.4	0xecbb	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:06.811362028 CEST	1.1.1.1	192.168.2.4	0xecbb	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.811362028 CEST	1.1.1.1	192.168.2.4	0xecbb	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.811362028 CEST	1.1.1.1	192.168.2.4	0xecbb	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.811362028 CEST	1.1.1.1	192.168.2.4	0xecbb	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.819224119 CEST	1.1.1.1	192.168.2.4	0xdda	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.819904089 CEST	1.1.1.1	192.168.2.4	0xc988	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.819904089 CEST	1.1.1.1	192.168.2.4	0xc988	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.819904089 CEST	1.1.1.1	192.168.2.4	0xc988	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.819904089 CEST	1.1.1.1	192.168.2.4	0xc988	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:06.830224991 CEST	1.1.1.1	192.168.2.4	0x74c	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.586088896 CEST	1.1.1.1	192.168.2.4	0xbbc	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:18.586088896 CEST	1.1.1.1	192.168.2.4	0xbbc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.588562012 CEST	1.1.1.1	192.168.2.4	0xc03d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.608555079 CEST	1.1.1.1	192.168.2.4	0xf4aa	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.608555079 CEST	1.1.1.1	192.168.2.4	0xf4aa	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.608555079 CEST	1.1.1.1	192.168.2.4	0xf4aa	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.608555079 CEST	1.1.1.1	192.168.2.4	0xf4aa	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.625416040 CEST	1.1.1.1	192.168.2.4	0xf57a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.625416040 CEST	1.1.1.1	192.168.2.4	0xf57a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.625416040 CEST	1.1.1.1	192.168.2.4	0xf57a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.625416040 CEST	1.1.1.1	192.168.2.4	0xf57a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.662798882 CEST	1.1.1.1	192.168.2.4	0xff64	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:18.662798882 CEST	1.1.1.1	192.168.2.4	0xff64	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:18.673309088 CEST	1.1.1.1	192.168.2.4	0x4017	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:19.899642944 CEST	1.1.1.1	192.168.2.4	0x5226	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:19.899642944 CEST	1.1.1.1	192.168.2.4	0x5226	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:21.860975027 CEST	1.1.1.1	192.168.2.4	0x56e7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:22.499394894 CEST	1.1.1.1	192.168.2.4	0x24de	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:17:22.499394894 CEST	1.1.1.1	192.168.2.4	0x24de	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:17:49.117909908 CEST	1.1.1.1	192.168.2.4	0x6a52	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:18:23.657008886 CEST	1.1.1.1	192.168.2.4	0xe21d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:18:24.308913946 CEST	1.1.1.1	192.168.2.4	0x5a4e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:18:24.308913946 CEST	1.1.1.1	192.168.2.4	0x5a4e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:19:44.335009098 CEST	1.1.1.1	192.168.2.4	0xa41b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:19:44.344181061 CEST	1.1.1.1	192.168.2.4	0x59d7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:19:44.995687962 CEST	1.1.1.1	192.168.2.4	0xa72a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 19:19:44.995687962 CEST	1.1.1.1	192.168.2.4	0xa72a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 26, 2024 19:19:45.005259037 CEST	1.1.1.1	192.168.2.4	0x31d8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	3612	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 19:16:51.952369928 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:16:52.624005079 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12755 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49745	34.107.221.82	80	3612	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 19:16:52.890877008 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:16:53.488377094 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16620 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	34.107.221.82	80	3612	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 19:16:53.698585987 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:16:54.295417070 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12757 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:16:54.715337992 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:16:54.840709925 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12757 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:00.474184036 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:00.599406004 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12763 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:05.900248051 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:06.025693893 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12768 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:08.266896963 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:08.392477989 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12771 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:09.049062014 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:09.174391985 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12772 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:09.833997011 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:09.959814072 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12772 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:10.104454041 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:10.230093956 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12773 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:10.499645948 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:10.625143051 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12773 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:11.133227110 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:11.260730982 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12774 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:11.850635052 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:11.975944996 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12774 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:19.217766047 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:19.342634916 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12782 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:19.888266087 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:20.013636112 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12782 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:20.136089087 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:20.261106014 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12783 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:22.491251945 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:22.616255999 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12785 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:32.624749899 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:17:42.639046907 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:17:43.577147961 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:43.703139067 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12806 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:49.758002043 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:17:49.893090963 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12812 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:17:59.904711008 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:09.919455051 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:19.932452917 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:24.301018000 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:18:24.426429987 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12847 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 26, 2024 19:18:34.434999943 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:44.449470997 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:54.461010933 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:19:04.475518942 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:19:14.488707066 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:19:44.986437082 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 26, 2024 19:19:45.112106085 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 12928 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49752	34.107.221.82	80	3612	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 19:16:54.561276913 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49753	34.107.221.82	80	3612	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 19:16:55.461173058 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:16:56.056538105 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16622 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:05.223016024 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:05.347831964 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16632 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:06.749835968 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:06.875159979 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16633 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:08.567220926 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:08.692579031 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16635 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:09.216279030 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:09.341265917 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16636 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:09.962657928 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:10.087393999 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16637 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:10.233108044 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:10.357886076 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16637 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:10.628151894 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:10.755012035 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16637 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:11.266815901 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:11.392074108 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16638 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:11.978869915 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:12.103599072 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16639 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:19.345273018 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:19.470305920 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16646 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:20.020529985 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:20.145919085 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16647 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:20.263875008 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:20.388796091 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16647 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:22.619138956 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:22.744570971 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16649 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:32.756396055 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:17:42.767343044 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:17:43.706618071 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:43.842137098 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16670 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:17:49.896614075 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:17:50.031095028 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16676 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:18:00.036279917 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:10.050806999 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:20.063874960 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:24.430318117 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:18:24.555013895 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16711 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 26, 2024 19:18:34.557347059 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:44.564775944 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:18:54.576946974 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:19:04.591370106 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:19:14.620189905 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 26, 2024 19:19:45.118400097 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 26, 2024 19:19:45.244462013 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 16792 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	13:16:42
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4f0000
File size:	919'552 bytes
MD5 hash:	EFC94402D2CAA77BFD60F0284F19C149
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:16:42
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x900000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:16:42
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:16:45
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x900000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:16:45
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:16:45
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x900000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:16:45
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:16:45
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x900000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:16:45
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:16:45
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x7ff7699e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:16:45
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:16:46
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:16:46
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:16:46
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	13:16:47
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d2f54c-3382-4854-a701-1ab4e653a17d} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241e706ed10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:16:49
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3492 -parentBuildID 20230927232528 -prefsHandle 3296 -prefMapHandle 1004 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2f1bb6d-6f07-407d-844b-36996831da47} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241f8d5a310 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	13:16:55
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 33074 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52572232-28b6-441a-a52c-2028632fc4f5} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" 241f8689510 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1575
Total number of Limit Nodes:	78

Executed Functions

Function 004F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004F430D

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

GetCurrentProcess.KERNEL32(?,0058CB64,00000000,?,?), ref: 004F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 004F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 004F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 004F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 004F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004F44A0

Strings

kernel32.dll, xrefs: 004F444F
GetNativeSystemInfo, xrefs: 004F4460
|O, xrefs: 005336F8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 710b43d934ff1eed517e4edb07e14542cce83ec1f580481210aa4026e0b72be8
Instruction ID: 6b81fa5c1b001c5696f9db8654650fac93d5a236c42a967e1b7b4aedc5394d8f
Opcode Fuzzy Hash: 710b43d934ff1eed517e4edb07e14542cce83ec1f580481210aa4026e0b72be8
Instruction Fuzzy Hash: 26A1143191AEC4CFC712C7A87C419A63FA47B73F48B145D99D441A3A23D638460DEB2E

Function 004F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004F50AA,?,?,00000000,00000000), ref: 004F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004F50AA,?,?,00000000,00000000), ref: 004F42C9
LoadResource.KERNEL32(?,00000000,?,?,004F50AA,?,?,00000000,00000000,?,?,?,?,?,?,004F4F20), ref: 005335BE
SizeofResource.KERNEL32(?,00000000,?,?,004F50AA,?,?,00000000,00000000,?,?,?,?,?,?,004F4F20), ref: 005335D3
LockResource.KERNEL32(004F50AA,?,?,004F50AA,?,?,00000000,00000000,?,?,?,?,?,?,004F4F20,?), ref: 005335E6

Strings

SCRIPT, xrefs: 004F42BF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 15f83ed939a37e651509a092ae384fc5d9a62843a479c99c2ec9075e1183d44a
Instruction ID: a1656488022dcaf32c65ef728da209c720ff0fbd563d9dde438c271eac9d1236
Opcode Fuzzy Hash: 15f83ed939a37e651509a092ae384fc5d9a62843a479c99c2ec9075e1183d44a
Instruction Fuzzy Hash: 47117C74200704BFE7218B65DC48F277FB9EBD5B91F1081AAF902A66A0DB71D8049B30

Function 00532BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 004F2B6B

Part of subcall function 004F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005C1418,?,004F2E7F,?,?,?,00000000), ref: 004F3A78

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005B2224), ref: 00532C10
ShellExecuteW.SHELL32(00000000,?,?,005B2224), ref: 00532C17

Strings

runas, xrefs: 00532C0B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d1ee14e64f9802ee53ab2054c8149aa83b96f02889f43ad6b922d2f90a383f14
Instruction ID: 1e1a4abb521f2d19feecc91ce96f6e213c0b1725f8985747473072b63dce7234
Opcode Fuzzy Hash: d1ee14e64f9802ee53ab2054c8149aa83b96f02889f43ad6b922d2f90a383f14
Instruction Fuzzy Hash: 4911E7311087496ECB05FF61D852EBEBBE4AB91745F04141FF742520A3DF789909D71A

Function 0055D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0055D501
Process32FirstW.KERNEL32(00000000,?), ref: 0055D50F
Process32NextW.KERNEL32(00000000,?), ref: 0055D52F
CloseHandle.KERNELBASE(00000000), ref: 0055D5DC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: eda02c89e49480e65e48f2b8ebc0a9726304409f9239f3f936033e57bd4231ac
Instruction ID: 3e7d0f6ed1dcbe74b3832d36a982f1d13412bd6f21aa4dccb6748b74ff99dddd
Opcode Fuzzy Hash: eda02c89e49480e65e48f2b8ebc0a9726304409f9239f3f936033e57bd4231ac
Instruction Fuzzy Hash: 3B3192720082059FD310EF54C895ABFBFF8AF99344F14092EF985921A1EB719948CBA2

Function 0055DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00535222), ref: 0055DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0055DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0055DBEE
FindClose.KERNEL32(00000000), ref: 0055DBFA

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 4b2d7073b9073fd5d5d27be9d3b8f32dc83ba13fb61b89dcfaf34d4b36ed428b
Instruction ID: 6eaccaa566848c88fa641c5c01fb2f7fc7fb9f78c5503ddcb22ee4b0fce20b12
Opcode Fuzzy Hash: 4b2d7073b9073fd5d5d27be9d3b8f32dc83ba13fb61b89dcfaf34d4b36ed428b
Instruction Fuzzy Hash: D0F08C328109109782306B68AC0D8AE3FBCAE41336B104702FC77D20E0EBB06D5C9AA5

Function 00514CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005228E9,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002,00000000,?,005228E9), ref: 00514D09
TerminateProcess.KERNEL32(00000000,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002,00000000,?,005228E9), ref: 00514D10
ExitProcess.KERNEL32 ref: 00514D22

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f1faec4a13b9a7d7cb52d8299fb74dd9e1e665379c47b51032c74edd68721702
Instruction ID: 39dbaad73aeaeead5e5ab53279e6e4b1597345be37f9e8b97de0e9466a4e1658
Opcode Fuzzy Hash: f1faec4a13b9a7d7cb52d8299fb74dd9e1e665379c47b51032c74edd68721702
Instruction Fuzzy Hash: 16E0B631000148ABDF11AF54ED0DA983F69FF92B81B105414FC099A122CB35ED86EF90

Function 004FBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#\, xrefs: 005407CE

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#\
API String ID: 3964851224-2009390076
Opcode ID: ae3a5afb61089c9dd3429f9944efa0f0089522cbce622a8eb49f2b025a2a7c04
Instruction ID: 3020bb3dec30f43ca972c219665cbe904977c9c5ebc8bfd6b550369f27c3b636
Opcode Fuzzy Hash: ae3a5afb61089c9dd3429f9944efa0f0089522cbce622a8eb49f2b025a2a7c04
Instruction Fuzzy Hash: 63A27E705083458FD714DF14C580B6ABBE1FF89308F24896EEA8A8B392D775EC45CB96

Function 0057AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0057B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0057B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0057B1D4
_wcslen.LIBCMT ref: 0057B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0057B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0057B236
_wcslen.LIBCMT ref: 0057B332

Part of subcall function 005605A7: GetStdHandle.KERNEL32(000000F6), ref: 005605C6

_wcslen.LIBCMT ref: 0057B34B
_wcslen.LIBCMT ref: 0057B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0057B3B6
GetLastError.KERNEL32(00000000), ref: 0057B407
CloseHandle.KERNEL32(?), ref: 0057B439
CloseHandle.KERNEL32(00000000), ref: 0057B44A
CloseHandle.KERNEL32(00000000), ref: 0057B45C
CloseHandle.KERNEL32(00000000), ref: 0057B46E
CloseHandle.KERNEL32(?), ref: 0057B4E3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 89442a7f4966f9a73a696f1c3d2bf34c7458b0fe51aa4b794154ceab09363dcb
Instruction ID: 890f7f5d3bdd2ae729f8857758e9ee1b2664fb74599216ef257d29a7e3475c11
Opcode Fuzzy Hash: 89442a7f4966f9a73a696f1c3d2bf34c7458b0fe51aa4b794154ceab09363dcb
Instruction Fuzzy Hash: F9F1CC315043009FEB24EF25D895B6EBBE1BF85314F14885EF9898B2A2CB35EC44DB52

Function 004FD730 Relevance: 21.6, APIs: 14, Instructions: 626windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004FD807
timeGetTime.WINMM ref: 004FDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FDB28
TranslateMessage.USER32(?), ref: 004FDB7B
DispatchMessageW.USER32(?), ref: 004FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FDB9F
Sleep.KERNELBASE(0000000A), ref: 004FDBB1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 308b966c459baef5f9a14d78cb337f43c5c7a7a7da21b37ba2bbda394290f513
Instruction ID: cb4b04c06aa066c081c47a71e8d214bf79a7b0b1b70b6268f7affc4e0bd2f7f7
Opcode Fuzzy Hash: 308b966c459baef5f9a14d78cb337f43c5c7a7a7da21b37ba2bbda394290f513
Instruction Fuzzy Hash: 29420370A04646DFD728CF24C888FBABBA2FF85308F54451EF95587291C7B4E844DB9A

Function 004F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004F2D07
RegisterClassExW.USER32(00000030), ref: 004F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F2D42
InitCommonControlsEx.COMCTL32(?), ref: 004F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F2D6F
LoadIconW.USER32(000000A9), ref: 004F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F2D94

Strings

TaskbarCreated, xrefs: 004F2D37
+, xrefs: 004F2CF0
0, xrefs: 004F2CE9
AutoIt v3 GUI, xrefs: 004F2D23

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4104e8db21216a91a5109d7b010f76bf082969c465e70d000720e223168efe13
Instruction ID: 38ae9de8e31270e70104911f10ea1465e91f8326e97706ec39918a7c2c7628a0
Opcode Fuzzy Hash: 4104e8db21216a91a5109d7b010f76bf082969c465e70d000720e223168efe13
Instruction Fuzzy Hash: 8E21EFB5901608EFDB00DFA4E889A9DBFB4FB19700F00811AFA11B62A0D7B14548EFA5

Function 0053065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0053039A: CreateFileW.KERNELBASE(00000000,00000000,?,00530704,?,?,00000000,?,00530704,00000000,0000000C), ref: 005303B7

GetLastError.KERNEL32 ref: 0053076F
__dosmaperr.LIBCMT ref: 00530776
GetFileType.KERNELBASE(00000000), ref: 00530782
GetLastError.KERNEL32 ref: 0053078C
__dosmaperr.LIBCMT ref: 00530795
CloseHandle.KERNEL32(00000000), ref: 005307B5
CloseHandle.KERNEL32(?), ref: 005308FF
GetLastError.KERNEL32 ref: 00530931
__dosmaperr.LIBCMT ref: 00530938

Strings

H, xrefs: 005308BD

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b38d3140aa378b2b2308e2419439a1aecb8001c9a5ba0cd84f0c2ced2a2faa39
Instruction ID: e75f4dea61ff8f3cf903d26927cbddbb5e5a27b494e0f8332ad5281b5e4b3c9b
Opcode Fuzzy Hash: b38d3140aa378b2b2308e2419439a1aecb8001c9a5ba0cd84f0c2ced2a2faa39
Instruction Fuzzy Hash: AAA12736A002098FDF19AF68DC66BAD7FA0FB46320F14115DF811EB2D1DB319856DB91

Function 004F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005C1418,?,004F2E7F,?,?,?,00000000), ref: 004F3A78

Part of subcall function 004F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0053318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005331CE
RegCloseKey.ADVAPI32(?), ref: 00533210
_wcslen.LIBCMT ref: 00533277
_wcslen.LIBCMT ref: 00533286

Strings

\Include\, xrefs: 004F3527
Software\AutoIt v3\AutoIt, xrefs: 004F3560
Include, xrefs: 00533184, 005331C5
\, xrefs: 0053328C

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 29dfe0cfd377dff3f745ad492b88863c06225655d68ad408d54e0adb4e551f66
Instruction ID: 25129ff110cfe01b9c40d73d85d2d515be9b8c2bd718ce4c30a745cca8c52120
Opcode Fuzzy Hash: 29dfe0cfd377dff3f745ad492b88863c06225655d68ad408d54e0adb4e551f66
Instruction Fuzzy Hash: 0D71BC714043459EC304EF66DC85DABBFE8FFA4B44F40092EF545931A0EB789A48CBA6

Function 004F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 004F2B9D
LoadIconW.USER32(00000063), ref: 004F2BB3
LoadIconW.USER32(000000A4), ref: 004F2BC5
LoadIconW.USER32(000000A2), ref: 004F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004F2BEF
RegisterClassExW.USER32(?), ref: 004F2C40

Part of subcall function 004F2CD4: GetSysColorBrush.USER32(0000000F), ref: 004F2D07
Part of subcall function 004F2CD4: RegisterClassExW.USER32(00000030), ref: 004F2D31
Part of subcall function 004F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F2D42
Part of subcall function 004F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 004F2D5F
Part of subcall function 004F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F2D6F
Part of subcall function 004F2CD4: LoadIconW.USER32(000000A9), ref: 004F2D85
Part of subcall function 004F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F2D94

Strings

0, xrefs: 004F2C0F
AutoIt v3, xrefs: 004F2C2F
#, xrefs: 004F2C16

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1ca4eb56aabf3c985de5b023b667a99d657d60f5c12d37b679070680c6c86c37
Instruction ID: 4c25a053c0cda6c17238a100147957fc0c0222691880fa5d0bb5ae76140035bf
Opcode Fuzzy Hash: 1ca4eb56aabf3c985de5b023b667a99d657d60f5c12d37b679070680c6c86c37
Instruction Fuzzy Hash: BD217C70E00B58AFDB109FA5EC44EA97FB4FB19F44F00041AEA00A26A1D3B54518EF98

Function 004FB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FBB4E

Strings

p%\, xrefs: 004FBB32
p#\, xrefs: 0054024F
p#\, xrefs: 00540263
x#\, xrefs: 00540207
x#\, xrefs: 00540168
p#\, xrefs: 004FBA72
p%\, xrefs: 004FB8DC
p#\, xrefs: 004FBB6B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#\$p#\$p#\$p#\$p%\$p%\$x#\$x#\
API String ID: 1385522511-1182363912
Opcode ID: ad4619ece5d4e7ed7090bd9d0ad6e095dbcef8bfafcb0d214e988ec752fa4255
Instruction ID: 70531d6452acad8dfa0f65c29f5488f61a98d595220a946438c34690cf928af5
Opcode Fuzzy Hash: ad4619ece5d4e7ed7090bd9d0ad6e095dbcef8bfafcb0d214e988ec752fa4255
Instruction Fuzzy Hash: C432AE74A002099FDB20DF54C894EBEBBB5FF45344F24845AEA05AB391C7B8ED42CB95

Function 004F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,004F316A,?,?), ref: 004F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,004F316A,?,?), ref: 004F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,004F316A,?,?), ref: 004F3232
CreatePopupMenu.USER32 ref: 004F3246
PostQuitMessage.USER32(00000000), ref: 004F3267

Strings

TaskbarCreated, xrefs: 004F322D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8986da5736fe6059fe443c08157af9cbb96c155fa2d6c7b0fbdbb834ba496abf
Instruction ID: 30b4f9664f4c61c5d099bca9711afec9f63e84147e5a875e400832471b4b7095
Opcode Fuzzy Hash: 8986da5736fe6059fe443c08157af9cbb96c155fa2d6c7b0fbdbb834ba496abf
Instruction Fuzzy Hash: 79414D31200908AEDB142FB89D0DF7A3E58F71634AF04011BFB06D5292CB79DE45A7AD

Function 004F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004F1459
CoUninitialize.COMBASE ref: 004F14F8
UnregisterHotKey.USER32(?), ref: 004F16DD
DestroyWindow.USER32(?), ref: 005324B9
FreeLibrary.KERNEL32(?), ref: 0053251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0053254B

Strings

close all, xrefs: 004F1454

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b5fdb893d870fd835fd5826d33bc6eaf61be091acf5fde2e7ec2e0188c12a6ce
Instruction ID: 735fb3387b4a4a2dbfca8b00ed898671b0f2e9062b8bd1d07db6d1e852e97d44
Opcode Fuzzy Hash: b5fdb893d870fd835fd5826d33bc6eaf61be091acf5fde2e7ec2e0188c12a6ce
Instruction Fuzzy Hash: 8BD19D31701612CFDB29EF15C499A39FBA4BF44704F1441AEE94AAB262CB34ED12CF55

Function 004F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,004F1CAD,?), ref: 004F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,004F1CAD,?), ref: 004F2CCF

Strings

edit, xrefs: 004F2CAC
AutoIt v3, xrefs: 004F2C89, 004F2C8E, 004F2C8F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6d4e602f80abdba1cb28af85e22bc9f6807da865f55936a0ed7bfb942426f658
Instruction ID: ec3936e1dfff7423e7330c8ab5e7c5297f6e52e4640b00a036a758997baadac9
Opcode Fuzzy Hash: 6d4e602f80abdba1cb28af85e22bc9f6807da865f55936a0ed7bfb942426f658
Instruction Fuzzy Hash: 6FF0DA75640AD07EEB311717AC08E772EBDE7E7F54B01045EFD00A25A1C6751858EAB8

Function 00522DF8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,0051F2DE,00523863,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6), ref: 00522DFD
_free.LIBCMT ref: 00522E32
_free.LIBCMT ref: 00522E59
SetLastError.KERNEL32(00000000,004F1129), ref: 00522E66
SetLastError.KERNEL32(00000000,004F1129), ref: 00522E6F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 723d84d08a1afa350a0a0b81c4e74c52a5147ef26a450838165724b2bd600881
Instruction ID: 02ec73fc5d1332297306b8ee470aef436bb893bb9e0b778f5f08cbf6d6054110
Opcode Fuzzy Hash: 723d84d08a1afa350a0a0b81c4e74c52a5147ef26a450838165724b2bd600881
Instruction Fuzzy Hash: 2B01D13E205621BB861227787C4AD3B2E5DBFE73A1F224928F825A21D2EE748C056120

Function 004F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004F3B0F,SwapMouseButtons,00000004,?), ref: 004F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004F3B0F,SwapMouseButtons,00000004,?), ref: 004F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,004F3B0F,SwapMouseButtons,00000004,?), ref: 004F3B83

Strings

Control Panel\Mouse, xrefs: 004F3B3E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 627100c6bf53260b327327e2ceed15152bf757738cd1fe5057c097919bac7de3
Instruction ID: a2cf8babd90cdc2959f8d9270765ea6519557d4e5fa51e242904d38edf7f2182
Opcode Fuzzy Hash: 627100c6bf53260b327327e2ceed15152bf757738cd1fe5057c097919bac7de3
Instruction Fuzzy Hash: 41115AB1511208FFDB208FA4DC48ABFBBB8EF00785B10445AA901E7211D235AE45A764

Function 004F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005333A2

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F3A04

Strings

Line: , xrefs: 005333EB

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 828b793b5f3cdd2f130d17e8210fc7b9b14b430297ea2477fc96661256cc78b4
Instruction ID: e35f481acad3830aad2a56e68204144a77b16b5e6c2efed3f3fadf02d8b9fd56
Opcode Fuzzy Hash: 828b793b5f3cdd2f130d17e8210fc7b9b14b430297ea2477fc96661256cc78b4
Instruction Fuzzy Hash: 1B31E471408708AED321EF10DC45FFBB7D8AB41719F00492FF69992191DB789A48C7DA

Function 004F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00532C8C

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

Part of subcall function 004F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004F2DC4

Strings

X, xrefs: 00532C5A
`e[, xrefs: 00532C85

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e[
API String ID: 779396738-1307940800
Opcode ID: 392839ef67f744aa27b9c4a3d11d83f539c44bee301c27e9a73d644e40b2b657
Instruction ID: 52e0ac121eb2c689d10b6842b1aa61fd34ce948ebe7801e52c91f912e6df340b
Opcode Fuzzy Hash: 392839ef67f744aa27b9c4a3d11d83f539c44bee301c27e9a73d644e40b2b657
Instruction Fuzzy Hash: CF219371A0069CAFDF01DF95C849BEE7BF8AF89304F00405AE505B7241DBB85A898F65

Function 0050FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00510668

Part of subcall function 005132A4: RaiseException.KERNEL32(?,?,?,0051068A,?,005C1444,?,?,?,?,?,?,0051068A,004F1129,005B8738,004F1129), ref: 00513304

__CxxThrowException@8.LIBVCRUNTIME ref: 00510685

Strings

Unknown exception, xrefs: 00510692

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5352e8b06440ec84872f09d35f66d53ac533f703afe88543bab8f1c09e8dff65
Instruction ID: 8f96a75297513f39aacb60dd3c8629d8886978e6489b32a93e9cf491dc14321a
Opcode Fuzzy Hash: 5352e8b06440ec84872f09d35f66d53ac533f703afe88543bab8f1c09e8dff65
Instruction Fuzzy Hash: 7AF0C83490020E77DF10BA64D84ACDD7F6D7E80350B604531B924959D1EFB1EAD5CA80

Function 004F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F1BF4
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 004F1BFC
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F1C07
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F1C12
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 004F1C1A
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 004F1C22

Part of subcall function 004F1B4A: RegisterWindowMessageW.USER32(00000004,?,004F12C4), ref: 004F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004F136A
OleInitialize.OLE32 ref: 004F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 005324AB

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 79d8c41062ca1739c81054dcdbf3b75d87911e896c1d3f197d4072e0d64b090b
Instruction ID: 50f23171d1d50d3f26523bde95f7acb43213616b85e00c2da998aabd50526d04
Opcode Fuzzy Hash: 79d8c41062ca1739c81054dcdbf3b75d87911e896c1d3f197d4072e0d64b090b
Instruction Fuzzy Hash: 2C71DDB4805E048EC784EF7AA985E653EE0FBAB344754812ED50AD7363EB348008EF5C

Function 0055C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0055C259
KillTimer.USER32(?,00000001,?,?), ref: 0055C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0055C270

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 104bc1ea3475ac88d6de583b7a1ffda4af7484d8ee4d64f2bdd0e5c1ec581d3d
Instruction ID: 8b16011d5e051b6476ac069e1096097eaec499ed8ece7f2eab7422101eefcb8c
Opcode Fuzzy Hash: 104bc1ea3475ac88d6de583b7a1ffda4af7484d8ee4d64f2bdd0e5c1ec581d3d
Instruction Fuzzy Hash: 6331E8749047446FEB228F648855BE7BFECAB12309F00049ED9DAA7141C3745A88CB51

Function 005286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005285CC,?,005B8CC8,0000000C), ref: 00528704
GetLastError.KERNEL32(?,005285CC,?,005B8CC8,0000000C), ref: 0052870E
__dosmaperr.LIBCMT ref: 00528739

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: e424849e94679f182e983f637f1023ff31c03879b89160e592167d0d3d7041d5
Instruction ID: 52bb46692c306491314e821afa7082f42627cf7033d5a14563c39e46c4a08ae8
Opcode Fuzzy Hash: e424849e94679f182e983f637f1023ff31c03879b89160e592167d0d3d7041d5
Instruction Fuzzy Hash: 2D016B336066302AD624A6B4784DB7E2F49AFF3774F381519F8149B1D3EEB19C819290

Function 004FDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 004FDB7B
DispatchMessageW.USER32(?), ref: 004FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FDB9F
Sleep.KERNELBASE(0000000A), ref: 004FDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00541CC9

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 399c147d4b632e44df675201a354f7e393ddf93202fd8a3dcaa16189e9d0439f
Instruction ID: d1fdd041f192ff3ebc39705576d2f32700e9cf1d3baee0e2a0308d27c05e85a6
Opcode Fuzzy Hash: 399c147d4b632e44df675201a354f7e393ddf93202fd8a3dcaa16189e9d0439f
Instruction Fuzzy Hash: 3AF05E306447459BEB30DBA08C89FEB7BA9FB95350F104A19E61AD30D0DB34A4899B2D

Function 00501310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005017F6

Strings

CALL, xrefs: 005017C6

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1f7cddfe9ae14804694432efc7c4cca02f9a39355e60288d31b22368dbf27439
Instruction ID: 5b9864dceb0e79ba70f9e0bc395327bbfab07143e252d92aae496a94cb6774d3
Opcode Fuzzy Hash: 1f7cddfe9ae14804694432efc7c4cca02f9a39355e60288d31b22368dbf27439
Instruction Fuzzy Hash: 322289706086429FC714DF14C884B6EBFF1BF85318F18891DF4968B2A2D772E945CB96

Function 004F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F3908

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e6224ff943fb7f4fc7fa7a997cc7c865654509b19da0627bffa7140f67111a10
Instruction ID: 75ffe02f89301cfb2f30f79de331acd1449925692acfbde470288d26e499ddc6
Opcode Fuzzy Hash: e6224ff943fb7f4fc7fa7a997cc7c865654509b19da0627bffa7140f67111a10
Instruction Fuzzy Hash: 3631D170504B058FD720EF24D884BA7BBE4FB49749F00082EFA9983251E779AA48CB56

Function 0050F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0050F661

Part of subcall function 004FD730: GetInputState.USER32 ref: 004FD807

Sleep.KERNEL32(00000000), ref: 0054F2DE

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 17bcdfe02cca87f133b3badde27de06a5b8bb1bf05af1dd473b5a3f146b33c41
Instruction ID: ddca7989d9424e9ae8fb39135a134b9eed4685a07b457e0619188e88e3fb1c7d
Opcode Fuzzy Hash: 17bcdfe02cca87f133b3badde27de06a5b8bb1bf05af1dd473b5a3f146b33c41
Instruction Fuzzy Hash: 8EF08231244205AFD310EF69D859B6ABBE9FF55764F00002EE959D7260DB74A800CB94

Function 004F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E9C
Part of subcall function 004F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F4EAE
Part of subcall function 004F4E90: FreeLibrary.KERNEL32(00000000,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4EFD

Part of subcall function 004F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E62
Part of subcall function 004F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F4E74
Part of subcall function 004F4E59: FreeLibrary.KERNEL32(00000000,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E87

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 33567cadc3559736a15d67c546520b173f55d25d6c7b6946374efa088c82bcd3
Instruction ID: bcdd7d6bc77b4f7cd1ba907a2acdaaec4c270f5dcc1dee7ef3c3b3ebcb13a524
Opcode Fuzzy Hash: 33567cadc3559736a15d67c546520b173f55d25d6c7b6946374efa088c82bcd3
Instruction Fuzzy Hash: DD112731600209ABCB10BF61DC02FBE7BA5AF80714F10842EF646B71C1DE789E459764

Function 00528402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00528440

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e5cfaa086d7a222c1e952dbffbc000d65fe1efedfae357622860697dd246e953
Instruction ID: 082fad20926c69eb69d7223b01b577125ad287d83e74747e7e3642efbeef6a2b
Opcode Fuzzy Hash: e5cfaa086d7a222c1e952dbffbc000d65fe1efedfae357622860697dd246e953
Instruction Fuzzy Hash: DC11487190420AAFCF05DF98E9409AE7BF4FF49304F144059F808AB352DA30DA21CBA4

Function 0051E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d03c47c2122cc62064b9c27c73e0860f4307581dec9a1fb5ec985190622a2973
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 7DF0F936511A21A6E7313A65BC0EBD63F98BFD3374F100B15F825921D1CB70A881C6A5

Function 00524C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,004F1129,00000000,?,00522E29,00000001,00000364,?,?,?,0051F2DE,00523863,005C1444,?,0050FDF5,?), ref: 00524CBE

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b277da0f6ff37d818e56ea6539910725da6082fa176a43b7fd447460c2f3b0d8
Instruction ID: 4d888ff893b205f20a96ecaf919b331fc856b841ac174b740e77b6a88ec0fee6
Opcode Fuzzy Hash: b277da0f6ff37d818e56ea6539910725da6082fa176a43b7fd447460c2f3b0d8
Instruction Fuzzy Hash: 08F0E93260263567EB215F7AFC09F9A3F88BF937A0B144121BC15B62C1CA70DC019EE0

Function 00523820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 90f8b6505b1732639fc522c52f318cdbc8564122b29d56c0b81c938359946cf2
Instruction ID: ad865d6f532c1a5a7ca3659fb72beee7a6791d03a7dadaec02eb50ba58210594
Opcode Fuzzy Hash: 90f8b6505b1732639fc522c52f318cdbc8564122b29d56c0b81c938359946cf2
Instruction Fuzzy Hash: FFE0E53210263556E7212676BC08BDA3E59BF83BB0F160120BD159A5C1CB29DD0186E1

Function 004F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4F6D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3fb90f22b1a6daa0449057c20518565b53f88af32d1c210f26f38dd0b0998eef
Instruction ID: d7084dd8f6dbea361986a4f05d3b5b5defb084ee19577c26fdf06f741958e4c9
Opcode Fuzzy Hash: 3fb90f22b1a6daa0449057c20518565b53f88af32d1c210f26f38dd0b0998eef
Instruction Fuzzy Hash: FCF03071505756CFDB349F64D494823BBE4BF54329310897FE6DE82621CB359888DF28

Function 00582A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00582A66

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1bc947db62df2cd1de3aa28fabf27ab5cdc42bce46cab135a315961bff499bf5
Instruction ID: 45254700a147520fd85b5a53c02a9be35787ae25dba5aad2d0220700a4dbe0ea
Opcode Fuzzy Hash: 1bc947db62df2cd1de3aa28fabf27ab5cdc42bce46cab135a315961bff499bf5
Instruction Fuzzy Hash: 6EE04F76350516AAC718FA30DC948FE7F5CFF90395B104536AC2AE2110EB70999997A0

Function 004F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 004F314E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cd0f8d9ff8f477f722120dcc95658485d95d264fbc007c315733a9fcc232525e
Instruction ID: bdd1690961475d4ca8958c20a03d5555fd83813ec6f42d03eac9783d35eda6e4
Opcode Fuzzy Hash: cd0f8d9ff8f477f722120dcc95658485d95d264fbc007c315733a9fcc232525e
Instruction Fuzzy Hash: 8FF0A7709003489FEB529F24DC49BDA7BBCB70170CF0000E5A64896292DB744B9CCF55

Function 004F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004F2DC4

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0d482feaabd06241f9a37be74749a05fafa1c59015231a8d48fc93449f59757a
Instruction ID: 417e5d9ffb9963d8a51002d53f1605a9559ffb1daafff0e7990d4f3dbaad772f
Opcode Fuzzy Hash: 0d482feaabd06241f9a37be74749a05fafa1c59015231a8d48fc93449f59757a
Instruction Fuzzy Hash: A8E0CD766001245BC71092589C05FEA77DDDFC8790F050075FD09E7248D974AD848664

Function 004F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F3908

Part of subcall function 004FD730: GetInputState.USER32 ref: 004FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 004F2B6B

Part of subcall function 004F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 004F314E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 600933ce2bf0869388b08319e6d001cc562697ad7971b857fd4d394eba75ce5a
Instruction ID: 7fac817666d64708b1dad1579ea9a3a8b050021122ed13f78b462eb94510ddf0
Opcode Fuzzy Hash: 600933ce2bf0869388b08319e6d001cc562697ad7971b857fd4d394eba75ce5a
Instruction Fuzzy Hash: 0AE0863170464D0ACA08BF76985297DB799DBE239BF40253FF74247163CE6C89498359

Function 0053039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00530704,?,?,00000000,?,00530704,00000000,0000000C), ref: 005303B7

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 07409dd25b2d8edef6ca22cdae67376db4010d7eaeeaa41d3ac7f14503eb49a1
Instruction ID: 44a3621e26ba06cf05dac4bcf07655560a08893ad5be0c7967ad02054c891931
Opcode Fuzzy Hash: 07409dd25b2d8edef6ca22cdae67376db4010d7eaeeaa41d3ac7f14503eb49a1
Instruction Fuzzy Hash: 58D06C3204010DBBDF028F84DD46EDA3FAAFB48714F014000BE1866020C732E821EB90

Function 004F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 004F1CBC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a63f26e07b35fd0b8b42d2fc65d35b9462081890446a1d7f08075c8a2c069182
Instruction ID: a90d7fa9caaff05a4e8c045ac3ebd7fd49648594f0dcb7004e2a529174bcfef4
Opcode Fuzzy Hash: a63f26e07b35fd0b8b42d2fc65d35b9462081890446a1d7f08075c8a2c069182
Instruction Fuzzy Hash: 76C09B352807049FF6145780BC4AF117754A368F05F044401F609695E3C3F11414FB54

Non-executed Functions

Function 00589576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0058961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0058965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0058969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005896C9
SendMessageW.USER32 ref: 005896F2
GetKeyState.USER32(00000011), ref: 0058978B
GetKeyState.USER32(00000009), ref: 00589798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005897AE
GetKeyState.USER32(00000010), ref: 005897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005897E9
SendMessageW.USER32 ref: 00589810
SendMessageW.USER32(?,00001030,?,00587E95), ref: 00589918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0058992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00589941
SetCapture.USER32(?), ref: 0058994A
ClientToScreen.USER32(?,?), ref: 005899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005899D6
ReleaseCapture.USER32 ref: 005899E1
GetCursorPos.USER32(?), ref: 00589A19
ScreenToClient.USER32(?,?), ref: 00589A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00589A80
SendMessageW.USER32 ref: 00589AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00589AEB
SendMessageW.USER32 ref: 00589B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00589B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00589B4A
GetCursorPos.USER32(?), ref: 00589B68
ScreenToClient.USER32(?,?), ref: 00589B75
GetParent.USER32(?), ref: 00589B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00589BFA
SendMessageW.USER32 ref: 00589C2B
ClientToScreen.USER32(?,?), ref: 00589C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00589CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00589CDE
SendMessageW.USER32 ref: 00589D01
ClientToScreen.USER32(?,?), ref: 00589D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00589D82

Part of subcall function 00509944: GetWindowLongW.USER32(?,000000EB), ref: 00509952

GetWindowLongW.USER32(?,000000F0), ref: 00589E05

Strings

F, xrefs: 00589D07
@GUI_DRAGID, xrefs: 0058997D
p#\, xrefs: 00589990

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#\
API String ID: 3429851547-2312411218
Opcode ID: 8086d5d70a7ac36cc182a0c0e5ad15767fe74b1bad7b3f1527403d8dd57a81cc
Instruction ID: 8badfc9561f475c60ac917e63b0ee42ec16394514db9caec1b6a0a66564d3186
Opcode Fuzzy Hash: 8086d5d70a7ac36cc182a0c0e5ad15767fe74b1bad7b3f1527403d8dd57a81cc
Instruction Fuzzy Hash: 20428E74204201AFDB24EF29CC44EBABFE5FF49310F180A19FA59AB2A1E731D854DB51

Function 00584873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00584908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00584927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0058494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0058495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0058497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00584A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00584A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00584A7E
IsMenu.USER32(?), ref: 00584A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00584AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00584B20
GetWindowLongW.USER32(?,000000F0), ref: 00584B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00584BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00584C82
wsprintfW.USER32 ref: 00584CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00584CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00584CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00584D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00584D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00584D5A

Strings

%d/%02d/%02d, xrefs: 00584CA8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 70fdc7805a80bf4b92144bc8daa0a888d28086c5bed5f00cc199a3a5cde20590
Instruction ID: 84692f56d54df094ab99b6d76b13bda94f2af40562dcb3a3cd42f4333deb449d
Opcode Fuzzy Hash: 70fdc7805a80bf4b92144bc8daa0a888d28086c5bed5f00cc199a3a5cde20590
Instruction Fuzzy Hash: 1212DD71600256ABEB24AF29CC49FAE7FA8BF85310F104529FD16EB2E1DB749944CF50

Function 0050F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0050F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0054F474
IsIconic.USER32(00000000), ref: 0054F47D
ShowWindow.USER32(00000000,00000009), ref: 0054F48A
SetForegroundWindow.USER32(00000000), ref: 0054F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0054F4AA
GetCurrentThreadId.KERNEL32 ref: 0054F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0054F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0054F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0054F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0054F4DE
SetForegroundWindow.USER32(00000000), ref: 0054F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F4F6
keybd_event.USER32(00000012,00000000), ref: 0054F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F50B
keybd_event.USER32(00000012,00000000), ref: 0054F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F519
keybd_event.USER32(00000012,00000000), ref: 0054F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F528
keybd_event.USER32(00000012,00000000), ref: 0054F52D
SetForegroundWindow.USER32(00000000), ref: 0054F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0054F557

Strings

Shell_TrayWnd, xrefs: 0054F46F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ec01ec42f714478a5f00584687f9b3232483ea785d12ccd1b720b570131b7065
Instruction ID: 040998172391237c2394a19f9a5a558464fb10adf957ae3856088f5cedf8b2e7
Opcode Fuzzy Hash: ec01ec42f714478a5f00584687f9b3232483ea785d12ccd1b720b570131b7065
Instruction Fuzzy Hash: 61313D71A40218BBEF206BB99C4AFBF7E6CEB44B54F101465FA05F61D1DAB15900BBB0

Function 00551201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055170D
Part of subcall function 005516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0055173A
Part of subcall function 005516C3: GetLastError.KERNEL32 ref: 0055174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00551286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005512A8
CloseHandle.KERNEL32(?), ref: 005512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005512D1
GetProcessWindowStation.USER32 ref: 005512EA
SetProcessWindowStation.USER32(00000000), ref: 005512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00551310

Part of subcall function 005510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005511FC), ref: 005510D4
Part of subcall function 005510BF: CloseHandle.KERNEL32(?,?,005511FC), ref: 005510E9

Strings

Z[, xrefs: 00551392
, xrefs: 0055125A
winsta0, xrefs: 005512CC
default, xrefs: 0055130B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z[
API String ID: 22674027-259235808
Opcode ID: adc064fd80789dfe7da33c7ba8dbc550af7f00d0178664f96e87512cdabbac96
Instruction ID: 360275e3d7ec76c7616555425b1c3f517c71c40eed1c06711303305efabe5c1d
Opcode Fuzzy Hash: adc064fd80789dfe7da33c7ba8dbc550af7f00d0178664f96e87512cdabbac96
Instruction Fuzzy Hash: 70816571900209ABDF209FA8DC59BEE7FB9BF04705F14612AFD10B62A0E7759948DB24

Function 00550B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551114
Part of subcall function 005510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551120
Part of subcall function 005510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 0055112F
Part of subcall function 005510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551136
Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0055114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00550BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00550C00
GetLengthSid.ADVAPI32(?), ref: 00550C17
GetAce.ADVAPI32(?,00000000,?), ref: 00550C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00550C6D
GetLengthSid.ADVAPI32(?), ref: 00550C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00550C8C
HeapAlloc.KERNEL32(00000000), ref: 00550C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00550CB4
CopySid.ADVAPI32(00000000), ref: 00550CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00550CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00550D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00550D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550D45
HeapFree.KERNEL32(00000000), ref: 00550D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550D55
HeapFree.KERNEL32(00000000), ref: 00550D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550D65
HeapFree.KERNEL32(00000000), ref: 00550D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00550D78
HeapFree.KERNEL32(00000000), ref: 00550D7F

Part of subcall function 00551193: GetProcessHeap.KERNEL32(00000008,00550BB1,?,00000000,?,00550BB1,?), ref: 005511A1
Part of subcall function 00551193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00550BB1,?), ref: 005511A8
Part of subcall function 00551193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00550BB1,?), ref: 005511B7

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2c44276eb4fac266633b55dd2a34adf8fa35e7d0cdae396a28edd838bbb3c58d
Instruction ID: 70c9e8708403bf03fa38cba8f220288fc617fb1fdcced115bb38d29f21cb7547
Opcode Fuzzy Hash: 2c44276eb4fac266633b55dd2a34adf8fa35e7d0cdae396a28edd838bbb3c58d
Instruction Fuzzy Hash: C371577290020AABDF109FE4DC88BEEBFB8BF14341F145516ED14A6291D771AA09DBA0

Function 0056EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0058CC08), ref: 0056EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0056EB37
GetClipboardData.USER32(0000000D), ref: 0056EB43
CloseClipboard.USER32 ref: 0056EB4F
GlobalLock.KERNEL32(00000000), ref: 0056EB87
CloseClipboard.USER32 ref: 0056EB91
GlobalUnlock.KERNEL32(00000000), ref: 0056EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0056EBC9
GetClipboardData.USER32(00000001), ref: 0056EBD1
GlobalLock.KERNEL32(00000000), ref: 0056EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0056EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0056EC38
GetClipboardData.USER32(0000000F), ref: 0056EC44
GlobalLock.KERNEL32(00000000), ref: 0056EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0056EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0056EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0056ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0056ECF3
CountClipboardFormats.USER32 ref: 0056ED14
CloseClipboard.USER32 ref: 0056ED59

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: af8b1245ade00d29506a559efbe5230bc7c1c6554807a8b16f0d834335bec98b
Instruction ID: c9c863b0a1d42e8128807c07a7bd9fd3fca913266d42b9985edf0ac3a1d34a2e
Opcode Fuzzy Hash: af8b1245ade00d29506a559efbe5230bc7c1c6554807a8b16f0d834335bec98b
Instruction Fuzzy Hash: 8D6100382042019FD300EF25D88AF3A7FA4BF94748F14551DF986A72A2DB31DD0ADB62

Function 0056698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005669BE
FindClose.KERNEL32(00000000), ref: 00566A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00566A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00566A75

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00566AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00566ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00566B6A
%4d, xrefs: 00566BB1
%02d, xrefs: 00566C00, 00566C0A, 00566C5A, 00566CAA, 00566CFA, 00566D4A
%03d, xrefs: 00566DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00566B32

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9a9cfee667905e759562fe046a914ee5cfa400e927ffbfaa52a6c07a674d61ad
Instruction ID: 50612131807932c9ea45901f6ce7e2af5916cb9e625fbc59b59dd6b9396f9ccf
Opcode Fuzzy Hash: 9a9cfee667905e759562fe046a914ee5cfa400e927ffbfaa52a6c07a674d61ad
Instruction Fuzzy Hash: 8DD13D71508344AEC310EBA5C985EBBB7ECBF98704F04491EF685D7191EB78DA44CB62

Function 00569642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00569663
GetFileAttributesW.KERNEL32(?), ref: 005696A1
SetFileAttributesW.KERNEL32(?,?), ref: 005696BB
FindNextFileW.KERNEL32(00000000,?), ref: 005696D3
FindClose.KERNEL32(00000000), ref: 005696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0056974A
SetCurrentDirectoryW.KERNEL32(005B6B7C), ref: 00569768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00569772
FindClose.KERNEL32(00000000), ref: 0056977F
FindClose.KERNEL32(00000000), ref: 0056978F

Strings

*.*, xrefs: 005696F5

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 208f74cdc018d7eeda537fc60075144dfafdaa4470b23e06f6d9dbbfadbd25b6
Instruction ID: 613d1e513d4398a799695c2475fd3ba9b1659701256e6cd2ea3d0d21b45dafe0
Opcode Fuzzy Hash: 208f74cdc018d7eeda537fc60075144dfafdaa4470b23e06f6d9dbbfadbd25b6
Instruction Fuzzy Hash: 1431A4365402196ADF14AFB4DC49AEE7FACFF4A320F104155E916E3090EB34DD848B64

Function 0056979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 005697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00569819
FindClose.KERNEL32(00000000), ref: 00569824
FindFirstFileW.KERNEL32(*.*,?), ref: 00569840
SetCurrentDirectoryW.KERNEL32(?), ref: 00569890
SetCurrentDirectoryW.KERNEL32(005B6B7C), ref: 005698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005698B8
FindClose.KERNEL32(00000000), ref: 005698C5
FindClose.KERNEL32(00000000), ref: 005698D5

Part of subcall function 0055DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0055DB00

Strings

*.*, xrefs: 0056983B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c477027f7297f15f8b07920eebcb0ede236dd4998c0e008ce15b58bffcbc289a
Instruction ID: 30d22dbda37ac4702e7fcd070c359d3ade509e71e17cbb0fddf16270ca085041
Opcode Fuzzy Hash: c477027f7297f15f8b07920eebcb0ede236dd4998c0e008ce15b58bffcbc289a
Instruction Fuzzy Hash: 1B31C33250021AAADB10AFB4EC48ADE7FACBF4A320F104155E951A30D0DB30DD89CB60

Function 0057BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0057BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0057BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0057C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0057C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0057C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0057C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0057C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0057C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0057C382
RegCloseKey.ADVAPI32(00000000), ref: 0057C38F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 5df469daf0b861c5cb8a1c248a79e326188ee86942956d8c8d21ec6d0b37d345
Instruction ID: 4f69cb4e77f666c89847f59e28dbf7581e7cabe8bb61a7bbb1361e956522601e
Opcode Fuzzy Hash: 5df469daf0b861c5cb8a1c248a79e326188ee86942956d8c8d21ec6d0b37d345
Instruction Fuzzy Hash: D9025A71604200AFD714DF28D895E2ABBE5BF89308F18C89DF84ADB2A2D731ED45DB51

Function 00568195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00568257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00568267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00568273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00568310
SetCurrentDirectoryW.KERNEL32(?), ref: 00568324
SetCurrentDirectoryW.KERNEL32(?), ref: 00568356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0056838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00568395

Strings

*.*, xrefs: 0056839B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6f5aee77c3f8542bb3ceb5934a6fd9030165e7a2abd808d92e02e6e3bb2f2113
Instruction ID: 189874d7f63183032d5eea7b7837cf07e754c93e79a8c5c9656aaf366a0bf6ab
Opcode Fuzzy Hash: 6f5aee77c3f8542bb3ceb5934a6fd9030165e7a2abd808d92e02e6e3bb2f2113
Instruction Fuzzy Hash: D9617BB25043059FCB10EF60C8549AEBBE9FF89314F044D1EF98997251DB35E949CBA2

Function 0055D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

Part of subcall function 0055E199: GetFileAttributesW.KERNEL32(?,0055CF95), ref: 0055E19A

FindFirstFileW.KERNEL32(?,?), ref: 0055D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0055D1DD
MoveFileW.KERNEL32(?,?), ref: 0055D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0055D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0055D237

Part of subcall function 0055D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0055D21C,?,?), ref: 0055D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0055D253
FindClose.KERNEL32(00000000), ref: 0055D264

Strings

\*.*, xrefs: 0055D0CD, 0055D0D6, 0055D0EB

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3d212bbb0a37d72dfe8ebecd31127a86e776290398abaf14b6031e59689cba09
Instruction ID: e9a382211de712b2799bb90ac18d6f7fa9564648cd5522c20675f4a310246c00
Opcode Fuzzy Hash: 3d212bbb0a37d72dfe8ebecd31127a86e776290398abaf14b6031e59689cba09
Instruction Fuzzy Hash: B1619B7280110DAACF15EBE1C9A29FDBBB5BF54345F24406AE90277191EB346F0DDB60

Function 0056ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0056ED91
EmptyClipboard.USER32 ref: 0056ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0056EDAC
CloseClipboard.USER32 ref: 0056EEA3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 484c88fbfcdd7376e95b253a46c926bf3ef31241ff55a18ceb9b2f26f58d38d7
Instruction ID: d4814f4cc6aa0f270039c8cacc97e42a5bbedbb4bc6f1f5c6f35b846bd635439
Opcode Fuzzy Hash: 484c88fbfcdd7376e95b253a46c926bf3ef31241ff55a18ceb9b2f26f58d38d7
Instruction Fuzzy Hash: 0741BF39205611AFE310CF1AD889B29BFE5FF54318F14C49DE8559B6A2C736EC45CBA0

Function 0055E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055170D
Part of subcall function 005516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0055173A
Part of subcall function 005516C3: GetLastError.KERNEL32 ref: 0055174A

ExitWindowsEx.USER32(?,00000000), ref: 0055E932

Strings

SeShutdownPrivilege, xrefs: 0055E902
, xrefs: 0055E95C
@, xrefs: 0055E925
, xrefs: 0055E920

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 38d2237c648123ea6380c07b11b3e0034bba17fe3c110107bc8c81ecc0301cce
Instruction ID: 6e02ccffd6f80384badbd461bab4c9313378efcea3054904244ee3a85c3d6a46
Opcode Fuzzy Hash: 38d2237c648123ea6380c07b11b3e0034bba17fe3c110107bc8c81ecc0301cce
Instruction Fuzzy Hash: 10012B72A10211ABEB1826B4ACABFBF7EBCBB14742F140823FC03F21D1D5605D4C82A4

Function 00571204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00571276
WSAGetLastError.WSOCK32 ref: 00571283
bind.WSOCK32(00000000,?,00000010), ref: 005712BA
WSAGetLastError.WSOCK32 ref: 005712C5
closesocket.WSOCK32(00000000), ref: 005712F4
listen.WSOCK32(00000000,00000005), ref: 00571303
WSAGetLastError.WSOCK32 ref: 0057130D
closesocket.WSOCK32(00000000), ref: 0057133C

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: fca77574cad89dc30182c92e372d5ed3016a420c82386edea5f5f50f018e4d26
Instruction ID: c5d9ea76e231cc06d28e788fa0e18bae7de97c418bc0f3ed7cf1eae3ccdcf294
Opcode Fuzzy Hash: fca77574cad89dc30182c92e372d5ed3016a420c82386edea5f5f50f018e4d26
Instruction Fuzzy Hash: EA419E35600500AFD710DF29D488B29BBE6BF46318F18C089E95A9F293C775ED85DBE1

Function 0055D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

Part of subcall function 0055E199: GetFileAttributesW.KERNEL32(?,0055CF95), ref: 0055E19A

FindFirstFileW.KERNEL32(?,?), ref: 0055D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0055D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0055D481
FindClose.KERNEL32(00000000), ref: 0055D498
FindClose.KERNEL32(00000000), ref: 0055D4A1

Strings

\*.*, xrefs: 0055D3F2

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 69fe4d658b9a71738d7a8b47d96ee712f5bcf1b725726ff4d6a087e2898c2c8d
Instruction ID: 6d1b16761b6a5eb6fcac17e8cd2a52b35030be16440ab5b5fe25cdf948142b26
Opcode Fuzzy Hash: 69fe4d658b9a71738d7a8b47d96ee712f5bcf1b725726ff4d6a087e2898c2c8d
Instruction Fuzzy Hash: 8031D0720083459BC710EF65C8518BF7BE8BE91345F444E1EF9D292191EB74AA0DC767

Function 0052E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0052E645

Strings

1#SNAN, xrefs: 0052F844
1#IND, xrefs: 0052F83D
1#QNAN, xrefs: 0052F84B
1#INF, xrefs: 0052F852

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4084081dcb3f9a4074d340d187b5b1dbea475fc33a4300e74d9285b0a1e2bc93
Instruction ID: 0574f376bc33559cc09ba7efaf3c72985f5f3345e9a121b983aa28ee6671ae3e
Opcode Fuzzy Hash: 4084081dcb3f9a4074d340d187b5b1dbea475fc33a4300e74d9285b0a1e2bc93
Instruction Fuzzy Hash: DDC24A72E046298BDB25CE28ED457EABBB5FF46304F1445EAD44DE7280E774AE818F40

Function 0056648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005664DC
CoInitialize.OLE32(00000000), ref: 00566639
CoCreateInstance.OLE32(0058FCF8,00000000,00000001,0058FB68,?), ref: 00566650
CoUninitialize.OLE32 ref: 005668D4

Strings

.lnk, xrefs: 005664BA, 00566524, 005665E0

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: cf2ecfacbea9997c62521caa35700f6af093b76c48b08ecbc1486f9c2e96a4f5
Instruction ID: 9ffdec1bd3aac3a10d7f4459adaa38860b2d8eb9ffe59c6413c08c81d578e163
Opcode Fuzzy Hash: cf2ecfacbea9997c62521caa35700f6af093b76c48b08ecbc1486f9c2e96a4f5
Instruction Fuzzy Hash: D9D15B715083059FC314EF25C881A6BBBE8FF94708F40495DF5958B291DB74ED09CBA6

Function 005722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005722E8

Part of subcall function 0056E4EC: GetWindowRect.USER32(?,?), ref: 0056E504

GetDesktopWindow.USER32 ref: 00572312
GetWindowRect.USER32(00000000), ref: 00572319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00572355
GetCursorPos.USER32(?), ref: 00572381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005723DF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 477f10ccaefb0224d5e0d95753b43118f720993409c2da4e824c673910a2ddb8
Instruction ID: 228501f41f8024cb7aabebbf58eb37b14acb1b64d59ed46e96a41f273e9a2b68
Opcode Fuzzy Hash: 477f10ccaefb0224d5e0d95753b43118f720993409c2da4e824c673910a2ddb8
Instruction Fuzzy Hash: 0331CF72505315AFDB20DF14D849E5BBBEAFF84310F004919F989A7281DB34EA08DBA2

Function 00569B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00569B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00569C8B

Part of subcall function 00563874: GetInputState.USER32 ref: 005638CB
Part of subcall function 00563874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00563966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00569BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00569C75

Strings

*.*, xrefs: 00569B5D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: b3696b8453c7c61586db5ff011a7d95b10be52ba9ce9b4b51e4694a41be798fd
Instruction ID: 0041019bb69537032638fdd6ef0e0350f21860ee22d33e6bc3b2c5aeacd504af
Opcode Fuzzy Hash: b3696b8453c7c61586db5ff011a7d95b10be52ba9ce9b4b51e4694a41be798fd
Instruction Fuzzy Hash: 37416D7190420A9FDF54EF64C989AEEBFB8FF45350F24415AE905A3191EB309E84CF64

Function 0050997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00509A4E
GetSysColor.USER32(0000000F), ref: 00509B23
SetBkColor.GDI32(?,00000000), ref: 00509B36

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 77c3f0da21d947b32eb7fdcb0132281faf73f662c650e8f40d4e0c5a136efba6
Instruction ID: a05933772db113d86424fc13b61e01a0e961a1ddc41084cc81caf413ea11210a
Opcode Fuzzy Hash: 77c3f0da21d947b32eb7fdcb0132281faf73f662c650e8f40d4e0c5a136efba6
Instruction Fuzzy Hash: 8EA1F870209848AEE728AA2C8C9DEBF3E9DFBCA354F150509F502D65DBCB259D01D376

Function 00571806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0057304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0057307A
Part of subcall function 0057304E: _wcslen.LIBCMT ref: 0057309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0057185D
WSAGetLastError.WSOCK32 ref: 00571884
bind.WSOCK32(00000000,?,00000010), ref: 005718DB
WSAGetLastError.WSOCK32 ref: 005718E6
closesocket.WSOCK32(00000000), ref: 00571915

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d28d216abf4c507d295aaf79d43bcb78e6ee688d44bec9f2f194e70b2c55d326
Instruction ID: b8f170ca0c9e89e40aeff75c572b1e10bf6cc9aefd933504ab70a79680a0fae7
Opcode Fuzzy Hash: d28d216abf4c507d295aaf79d43bcb78e6ee688d44bec9f2f194e70b2c55d326
Instruction Fuzzy Hash: 3551C471A00204AFDB10AF24D886F3A7BE5AB45718F04C49DFA0A6F3C3C775AD419BA5

Function 00581C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00581CC0
IsWindowEnabled.USER32 ref: 00581CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00581CDB
IsIconic.USER32 ref: 00581CE9
IsZoomed.USER32 ref: 00581CF7

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 808219bd866d8e3aba9a68c6f19b26756023bc4521380fd7a1be20767668b9b3
Instruction ID: fd525d92ac54a05b724b984a5be2cbd3afe6f4dc72e596eb648ced7b88ab387a
Opcode Fuzzy Hash: 808219bd866d8e3aba9a68c6f19b26756023bc4521380fd7a1be20767668b9b3
Instruction Fuzzy Hash: 1921B131740A015FD720AF2AC884B2A7FA9FF95314F188068EC46EB351CB71DC42CBA8

Function 004F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004F83FA
VUUU, xrefs: 00535DF0
ERCP, xrefs: 004F813C
VUUU, xrefs: 004F843C
VUUU, xrefs: 004F83E8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1e2c7f89e1180f2c89e92ad5b1c9f51e92e86345f9554e1e33f0b69fe467bd10
Instruction ID: ac936fad0e8b8bf15de6b3cff76a12022a8b914b6615cfc1e76f3f01fe161ac5
Opcode Fuzzy Hash: 1e2c7f89e1180f2c89e92ad5b1c9f51e92e86345f9554e1e33f0b69fe467bd10
Instruction Fuzzy Hash: F5A28C70E0061ECBDF24CF58C9407BEBBB1BB54314F2485AEE915AB285EB349D81CB95

Function 00558298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005582AA

Strings

(, xrefs: 005582F0
tb[, xrefs: 005584F4
|, xrefs: 005582DA

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb[$|
API String ID: 1659193697-2831977410
Opcode ID: 98f9f5cac2917f60469da465b86ac3095abf26d938d62269647e5ab16c10ae13
Instruction ID: 35cbe7622ff111772426a916dcb47a00c21db72afd178bd125b95788ad4231f2
Opcode Fuzzy Hash: 98f9f5cac2917f60469da465b86ac3095abf26d938d62269647e5ab16c10ae13
Instruction Fuzzy Hash: A7322A75A00605DFCB28CF59C49196ABBF0FF48710B15C96EE85AEB7A1DB70E941CB40

Function 0055AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0055AAAC
SetKeyboardState.USER32(00000080), ref: 0055AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0055AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0055AB88

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2b6efa61e68f316ac4881997434c16182a34bb66f8bb0e745bd9be57ab8e1eb3
Instruction ID: f11efe58849c043f9ff2549e3ea12e83e698c198ab66e589a4d1986dc5116fd8
Opcode Fuzzy Hash: 2b6efa61e68f316ac4881997434c16182a34bb66f8bb0e745bd9be57ab8e1eb3
Instruction Fuzzy Hash: 74310930A40248AEFF358A69CC25BFA7FA6BB44322F04431BF981561D1D7758989D7A2

Function 0052BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0052BB7F

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

GetTimeZoneInformation.KERNEL32 ref: 0052BB91
WideCharToMultiByte.KERNEL32(00000000,?,005C121C,000000FF,?,0000003F,?,?), ref: 0052BC09
WideCharToMultiByte.KERNEL32(00000000,?,005C1270,000000FF,?,0000003F,?,?,?,005C121C,000000FF,?,0000003F,?,?), ref: 0052BC36

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: ca0f17d58656bb06c726647e50981165adc13bb52cbf31c3bdaea258f7805408
Instruction ID: cdae83bf9bf58070934aef40e19bf30056f32597b97b268fabbf039f394a0e70
Opcode Fuzzy Hash: ca0f17d58656bb06c726647e50981165adc13bb52cbf31c3bdaea258f7805408
Instruction Fuzzy Hash: 9D31AD79904616DFDB10DF6AAC8096DBFB8FF67310B14466AE021E72E2D7309E44DB50

Function 0056CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0056CE89
GetLastError.KERNEL32(?,00000000), ref: 0056CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0056CEFE

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 964e0d7953fc529c02c0d091e5e06e4399ff7814b0f754a57ab76e714c18cf2e
Instruction ID: 94441f6e2ad5bce96739c092cc27db213b8da93442dbeb8ea40098b041f27417
Opcode Fuzzy Hash: 964e0d7953fc529c02c0d091e5e06e4399ff7814b0f754a57ab76e714c18cf2e
Instruction Fuzzy Hash: 8821AC716003059BEB219F65C988BAABFFCFB50314F10481EEA86E3151E771EE48DB60

Function 00565C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00565CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00565D17
FindClose.KERNEL32(?), ref: 00565D5F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e1f1cd2108180cbc9fcdf863c292b6f6a9796bccec0b66acd2189d82e24465ad
Instruction ID: 98e208ac6f2a38b922bbf220b28d0aec282bbb63a815fc26a51d20c588108312
Opcode Fuzzy Hash: e1f1cd2108180cbc9fcdf863c292b6f6a9796bccec0b66acd2189d82e24465ad
Instruction Fuzzy Hash: 74518A75604A029FC714DF28C494E9ABBF4FF49314F14855EE99A8B3A2DB30ED44CBA1

Function 00522622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0052271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00522724
UnhandledExceptionFilter.KERNEL32(?), ref: 00522731

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5f3ac67ac2b16c96ce179e3cf6e504181ac2920374eb19d071f34c50285c3449
Instruction ID: 125cdfa55fdf15b27a3427c83d977b2fe0c65d7f3bd10716ddb1ea9962d295ee
Opcode Fuzzy Hash: 5f3ac67ac2b16c96ce179e3cf6e504181ac2920374eb19d071f34c50285c3449
Instruction Fuzzy Hash: 6A31C574901229ABCB21DF64D8887DDBBB8BF18310F5051DAE81CA62A0E7709F858F44

Function 005651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00565238
SetErrorMode.KERNEL32(00000000), ref: 005652A1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e309d0ea7dfd5c13e8506a15fadc3f6279af5754b39747c3eb305357565383b9
Instruction ID: 7e37c8c16acd6de7e500b7ec722c9edb433b00313034b074a5b3e69adb1140c5
Opcode Fuzzy Hash: e309d0ea7dfd5c13e8506a15fadc3f6279af5754b39747c3eb305357565383b9
Instruction Fuzzy Hash: 82315075A00518DFDB00DF55D8D4EADBBB4FF48318F048099E905AB392DB35E859CB61

Function 005516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0050FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00510668
Part of subcall function 0050FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00510685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0055173A
GetLastError.KERNEL32 ref: 0055174A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: eea3a4e04c0b050501c66a74dc8a5e12e026d55b9ec27576032f61bbb61d5239
Instruction ID: 38c410f6f81f2aa1b49683e34f2d4a5bff4286268f26ea03598439b8eb367895
Opcode Fuzzy Hash: eea3a4e04c0b050501c66a74dc8a5e12e026d55b9ec27576032f61bbb61d5239
Instruction Fuzzy Hash: 801131B2400305AFD3289F64EC8AE6FBFB9FB44710B20842EE45253281EB30BC458B20

Function 0055D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0055D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0055D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0055D650

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 8c67e1cc18d603d35a88a3ba19ba89c4e18345e9b5e9af52980658b288041a7c
Instruction ID: 2d179b7523f86470893b6af9c15fd193750051987ab0fe92abccd16544b5097f
Opcode Fuzzy Hash: 8c67e1cc18d603d35a88a3ba19ba89c4e18345e9b5e9af52980658b288041a7c
Instruction Fuzzy Hash: 3D113C76E05228BBDB208F959C45FAFBFBCEB45B50F108156FD04E7290D6704A059BA1

Function 00551663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0055168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005516A1
FreeSid.ADVAPI32(?), ref: 005516B1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8ab25ee6d9d8e3331b2f79199d1ed7624a7957b660d72f7c42a42353895ea2fd
Instruction ID: 727d2a06b86daeb6e9894869cd07f53470f43b996da0c9e1405862433dffa455
Opcode Fuzzy Hash: 8ab25ee6d9d8e3331b2f79199d1ed7624a7957b660d72f7c42a42353895ea2fd
Instruction Fuzzy Hash: E3F04471940308FBDB00CFE09C89EAEBBBCFB08240F104461E900E2180E330AA089B60

Function 0054D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0054D28C

Strings

X64, xrefs: 0054D2A8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: b39a71044f7b136be5c18ac40455803316336d221c7ba7c3b01e27af3704feb1
Instruction ID: 5df1ab823502b6d4406a587f285b277da4ce5df5bdc5c6ebb5112ea5b210a8af
Opcode Fuzzy Hash: b39a71044f7b136be5c18ac40455803316336d221c7ba7c3b01e27af3704feb1
Instruction Fuzzy Hash: DFD0C9B480511DEBCB90CB90DC8CDDDBB7CBB14345F100551F506A2140D77495489F20

Function 0051CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d28e11acbf6a6ba890ff45c684f0cbf64fa0f452e25c032f6bddcc69b4285617
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 8B020B71E402199BDF14CFA9D8806EDBFB5FF88314F254669D819EB280D731AD418B94

Function 004FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#\, xrefs: 004FCF7F
Variable is not of type 'Object'., xrefs: 00540C40

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#\
API String ID: 0-856599282
Opcode ID: 6e225580b3f6c8511306896db72fced0718b63b0a9c0bc5d4e1298151a318fce
Instruction ID: 3d664b15d03af2ef92e4330cd6ad0f41ace81a038a63c644cd840db5610adc31
Opcode Fuzzy Hash: 6e225580b3f6c8511306896db72fced0718b63b0a9c0bc5d4e1298151a318fce
Instruction Fuzzy Hash: C1328E7090021DDBCF14DF90CA85AFDBBB5FF04308F24405AEA06AB291D779AD46DB65

Function 005668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00566918
FindClose.KERNEL32(00000000), ref: 00566961

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b5ba9897e04eca03d5d8c67e5864720aee34e83e5e7e71bd3463d2900358b59c
Instruction ID: d04006ffa955d88646f53acea96fad26b4318185fe53f47fdb791e71216f6588
Opcode Fuzzy Hash: b5ba9897e04eca03d5d8c67e5864720aee34e83e5e7e71bd3463d2900358b59c
Instruction Fuzzy Hash: BB11D0356042059FC710CF2AC484A26BBE4FF84328F04C69DE86A8F6A2C734EC05CBA1

Function 005637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00574891,?,?,00000035,?), ref: 005637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00574891,?,?,00000035,?), ref: 005637F4

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 901cfc459a0619a65df2fe487b254d9ec92966a09c7504fc459039b3f3075614
Instruction ID: 5bdfa9813a393db18d84b447858abe6a9a68c48e9da2f6468916b3cc93045b5e
Opcode Fuzzy Hash: 901cfc459a0619a65df2fe487b254d9ec92966a09c7504fc459039b3f3075614
Instruction Fuzzy Hash: 4CF0E5B06042292AE72057769C4DFEB3FAEEFC4761F000165F509E3281DA709E08C7B0

Function 0055B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0055B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0055B270

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: bcc8506a8a4ccb3dc3f26727125661cd1c5ef227069a129c513e0596c7113bed
Instruction ID: 50f38cbf51f235315015f8e156a5564a5b6091a781f32c4676aad6c3ec31151d
Opcode Fuzzy Hash: bcc8506a8a4ccb3dc3f26727125661cd1c5ef227069a129c513e0596c7113bed
Instruction Fuzzy Hash: 19F01D7580424DABEF059FA0C805BAE7FB4FF04305F00940AFD55A5191C77986159FA4

Function 005510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005511FC), ref: 005510D4
CloseHandle.KERNEL32(?,?,005511FC), ref: 005510E9

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b2b620c9d05cf9edb59059c02f1146a427188b4c87f9d83e23a01919d43930bf
Instruction ID: 55fca517204bcf1f3de473feca441caba76fec49d35610c263f1837d4a4d4afa
Opcode Fuzzy Hash: b2b620c9d05cf9edb59059c02f1146a427188b4c87f9d83e23a01919d43930bf
Instruction Fuzzy Hash: 5DE04F32004601EFE7252B61FC09E777FA9FB04310B24882EF8A5804F1DB72AC90EB64

Function 0052676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00526766,?,?,00000008,?,?,0052FEFE,00000000), ref: 00526998

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5735c6b8d07b6dc01538a03640ff1eb5a94e6f746db688e65fa4fc5607ad1419
Instruction ID: 5e9b2390d32cc2002737ff259914b2f4fdd46ecefee6b4216d1c47e29c98a005
Opcode Fuzzy Hash: 5735c6b8d07b6dc01538a03640ff1eb5a94e6f746db688e65fa4fc5607ad1419
Instruction Fuzzy Hash: 6FB126326106189FD719CF28D48AB657FE0FF46364F298658E899CB2E2C735E981CB40

Function 0050B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0054851F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fb3ec338bd9b58d09fe2003b3b097d9243b8fa7a911041642adf778958b8b957
Instruction ID: 7810d02313d0877da75020a16ce36474b6257511fc46d7705d388408585b7a72
Opcode Fuzzy Hash: fb3ec338bd9b58d09fe2003b3b097d9243b8fa7a911041642adf778958b8b957
Instruction Fuzzy Hash: 7F124F759002299BDF24CF58C8806FEBBF5FF48714F14859AE849EB295DB349E81CB90

Function 0056EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0056EABD

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 95ac85ba448378a2fc3bcf5329e4bdf3d51fcbf8c6c5303ac0cfaedc685ce9ae
Instruction ID: 1df2e6c93890ce5c2c3f000b5c768f8e59c853b898c8a57e9afcb58b9e0010da
Opcode Fuzzy Hash: 95ac85ba448378a2fc3bcf5329e4bdf3d51fcbf8c6c5303ac0cfaedc685ce9ae
Instruction Fuzzy Hash: CCE048352002049FC710DF9AD445D5AFBD9FF59764F00841AFD45D7351D774E8408BA1

Function 005109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005103EE), ref: 005109DA

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 106a2db3b86a3cf661ecdbee02ab460a9eb2dd11395c310717ebe81f5c1cb449
Instruction ID: 306917d2c7110a2784015172e7b02c8ce4bf165e56e6fea7fd828cf5a91b763e
Opcode Fuzzy Hash: 106a2db3b86a3cf661ecdbee02ab460a9eb2dd11395c310717ebe81f5c1cb449
Instruction Fuzzy Hash:

Function 0051781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0051798B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 086e08a61e4b734b7ddf22edbc55a9a81b4bd125a9a8e96bd5a0e2bcef22e142
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 6751686160C60E7BFB38552C885D7FE2FB9BB5E340F180909E882D7282C615DECAD356

Function 00562046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&\, xrefs: 00562053

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: 0&\
API String ID: 0-2049548921
Opcode ID: 50e7a0dc6b188c77bd6cf3dbf9a064542e235aed4876f65ffbf7b66307dda6c5
Instruction ID: a80ca7d95e4c498576f3a3afff1382395d4e7093bac71858b085d65ea63e959c
Opcode Fuzzy Hash: 50e7a0dc6b188c77bd6cf3dbf9a064542e235aed4876f65ffbf7b66307dda6c5
Instruction Fuzzy Hash: 7A21D8322209158BD728CF79C81767A77E5B764320F14862EE4A7C33D0DE35A944D750

Function 00526DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fceacffc98bd44506886070a8b3e3812551ab4eae7fd5e0390d91affe98c49
Instruction ID: c24fe40d2ef066d89852fc5342de15b3f80cecda8de7b0818145755a714afa4f
Opcode Fuzzy Hash: f6fceacffc98bd44506886070a8b3e3812551ab4eae7fd5e0390d91affe98c49
Instruction Fuzzy Hash: 99324531D29F154ED7239634D862335AA8CBFBB3C5F15C737E81AB59A6EB28C4835140

Function 0050CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ee2720cb9d1c3b8caf3bd3f366d662a3e7e6b045d97cd9a2c7ad2bb41e3f99
Instruction ID: 7c0fa8a816b4cef4998cb3d260f7980fed130c66be24be43f202af6daf81673a
Opcode Fuzzy Hash: 86ee2720cb9d1c3b8caf3bd3f366d662a3e7e6b045d97cd9a2c7ad2bb41e3f99
Instruction Fuzzy Hash: 04321531A011558BDF68CF29C4D46FD7FA1FBC6308F29866AD46A9B6D2D230DD81DB40

Function 004F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953cc866ba8ff2a25a67f9f52879845ef0deb1cc8f6ce1e1d57889c444838605
Instruction ID: 5e8ec002c85887839be9a644e5f343fea2dd7cbb36618b0e50ad0e58eb10d5e5
Opcode Fuzzy Hash: 953cc866ba8ff2a25a67f9f52879845ef0deb1cc8f6ce1e1d57889c444838605
Instruction Fuzzy Hash: 6822D3B0A0060ADFDF14CF65C841ABEBBF6FF44304F10462AE816A7291EB39AD55CB55

Function 004F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3991439caa3a452fa16e22743922db57b6694936d4ec91e057d0501ae3d870b
Instruction ID: 3cec12e546cd06e830e659d8162d3a7eaa08ff90066870eb0a12f69d98e21e4d
Opcode Fuzzy Hash: b3991439caa3a452fa16e22743922db57b6694936d4ec91e057d0501ae3d870b
Instruction Fuzzy Hash: 7302F7B0E0010AEBDF04DF54D886AAEBBF5FF44300F118569E9069B2D1EB35AE51CB95

Function 00529EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945ebb52f888c10c3d06f2e0605a2182d302fa45f4b154dd7a22b3f53a1e1607
Instruction ID: cf012324bc4cbc55fa8bd81b25cc072f36c6d68ea60d27e52a162f7483d4b608
Opcode Fuzzy Hash: 945ebb52f888c10c3d06f2e0605a2182d302fa45f4b154dd7a22b3f53a1e1607
Instruction Fuzzy Hash: EDB13420D2AF508DD32396398831336BA4CBFBB6C5F92DB1BFC1674D62EB2185879140

Function 00511C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 9c0d328e2d3c23ffa0935ee8ce228ebce553c421d0f0b2e6254ed0164b5e923c
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: D49189722084A34AFB29467E95740BEFFE17A923A131A0BDDD5F2CA1C1FE14C9D4D624

Function 005119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a360573c14f9f5609691cfb49f52d29809ea8dd2fe21bd6448a8ffe05aa1b668
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C791767220D8A34AFB2D427A85740BDFFE16A923A171A0BDDD5F2CA1C1FE14C9D4D624

Function 00517A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8186835c186e524b2de7bef5876e9fed50f5aafe3f71712f2140876f46cc0b13
Instruction ID: 125c189becc9b84b9963ddf37d3ab6187d50b6cc3f5a574eef4ddbe4b5ce3110
Opcode Fuzzy Hash: 8186835c186e524b2de7bef5876e9fed50f5aafe3f71712f2140876f46cc0b13
Instruction Fuzzy Hash: BD61276160C70E56FA34992C8899BFE6FB5FF8D704F240D19E842DB281EB119EC2C355

Function 00517CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eeaf69445b710251af0ec50107b800ef3ddbf7c44f480b4f5909e0b65e16f0
Instruction ID: f73e9e9bf86a45775cebe27063047d0afd926e3852f2dc4fd73be2fe6b29dfcd
Opcode Fuzzy Hash: 56eeaf69445b710251af0ec50107b800ef3ddbf7c44f480b4f5909e0b65e16f0
Instruction Fuzzy Hash: DD61476120C60E56FA385A3C6855BFE2FF8BF8E704F140A59E942DB281DA12ADC28255

Function 00511706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 30a39975a915a35087dbf166de175157a04e1a465eaa1a2155836e99b125ac48
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: B38186326094A309FB6D423E85744BEFFE17A923A131A47DDD5F2CB1C1EE24C994D624

Function 00543CD2 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d7beb944894a5e138d9467a5474e1eefb1d7b85fa41dd02d916f483790bfc1
Instruction ID: 4c7d043a4b3f54770baf1f83c3ef75723afd30b69fb0a7336f0b85b43ddee364
Opcode Fuzzy Hash: 44d7beb944894a5e138d9467a5474e1eefb1d7b85fa41dd02d916f483790bfc1
Instruction Fuzzy Hash: 9A610974909281AFD725CB1484D4DE7BFE1BF4631871A84FFD9860B2A3D630DA4ACB06

Function 00572ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00572B30
DeleteObject.GDI32(00000000), ref: 00572B43
DestroyWindow.USER32 ref: 00572B52
GetDesktopWindow.USER32 ref: 00572B6D
GetWindowRect.USER32(00000000), ref: 00572B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00572CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00572CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572CF8
GetClientRect.USER32(00000000,?), ref: 00572D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00572D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D80
GlobalLock.KERNEL32(00000000), ref: 00572D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D98
GlobalUnlock.KERNEL32(00000000), ref: 00572DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572DA8
GlobalFree.KERNEL32(00000000), ref: 00572DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0058FC38,00000000), ref: 00572DDB
GlobalFree.KERNEL32(00000000), ref: 00572DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00572E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00572E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0057303F

Strings

DISPLAY, xrefs: 00572EA2
, xrefs: 00572FC5
AutoIt v3, xrefs: 00572CF2
static, xrefs: 00572D3A, 00572E91

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 725c5e7fb5d8c8846d38c545ff46ba9a3112a0ab2061161f09de8a0c6730631b
Instruction ID: bbfe4691f67fae53626a7bcbc6aa04da8d6b7563fb061073c1092ef81b999eb9
Opcode Fuzzy Hash: 725c5e7fb5d8c8846d38c545ff46ba9a3112a0ab2061161f09de8a0c6730631b
Instruction Fuzzy Hash: 42028971900208AFDB14DF64DC89EAE7FB9FB49714F008519F919AB2A1DB74ED04DB60

Function 005870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0058712F
GetSysColorBrush.USER32(0000000F), ref: 00587160
GetSysColor.USER32(0000000F), ref: 0058716C
SetBkColor.GDI32(?,000000FF), ref: 00587186
SelectObject.GDI32(?,?), ref: 00587195
InflateRect.USER32(?,000000FF,000000FF), ref: 005871C0
GetSysColor.USER32(00000010), ref: 005871C8
CreateSolidBrush.GDI32(00000000), ref: 005871CF
FrameRect.USER32(?,?,00000000), ref: 005871DE
DeleteObject.GDI32(00000000), ref: 005871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00587230
FillRect.USER32(?,?,?), ref: 00587262
GetWindowLongW.USER32(?,000000F0), ref: 00587284

Part of subcall function 005873E8: GetSysColor.USER32(00000012), ref: 00587421
Part of subcall function 005873E8: SetTextColor.GDI32(?,?), ref: 00587425
Part of subcall function 005873E8: GetSysColorBrush.USER32(0000000F), ref: 0058743B
Part of subcall function 005873E8: GetSysColor.USER32(0000000F), ref: 00587446
Part of subcall function 005873E8: GetSysColor.USER32(00000011), ref: 00587463
Part of subcall function 005873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00587471
Part of subcall function 005873E8: SelectObject.GDI32(?,00000000), ref: 00587482
Part of subcall function 005873E8: SetBkColor.GDI32(?,00000000), ref: 0058748B
Part of subcall function 005873E8: SelectObject.GDI32(?,?), ref: 00587498
Part of subcall function 005873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005874B7
Part of subcall function 005873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005874CE
Part of subcall function 005873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005874DB

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: c6811b4f69c82c6b6fca891942af70fb7ef9a20259224c82ee42b98389e3d3b3
Instruction ID: 1494d040624d8fd7d4d17102c9ffa35ea2dc20279e087291377b247b6adce027
Opcode Fuzzy Hash: c6811b4f69c82c6b6fca891942af70fb7ef9a20259224c82ee42b98389e3d3b3
Instruction Fuzzy Hash: 58A1A172008305AFDB00AF64DC48E5B7FA9FF99320F201A19FD62A61E1D731E948DB61

Function 00508D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00508E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00546AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00546AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00546F43

Part of subcall function 00508F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00508BE8,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 00508FC5

SendMessageW.USER32(?,00001053), ref: 00546F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00546F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00546FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00546FB7

Strings

0, xrefs: 00546DCF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 2990dc3628944cd732639bc4e6ec3951574d36625858f432fbb2bac03365af6b
Instruction ID: 59e643af14b9b19bb9fa590f839974e9668460f12cd6cdaa446591eba5309df9
Opcode Fuzzy Hash: 2990dc3628944cd732639bc4e6ec3951574d36625858f432fbb2bac03365af6b
Instruction Fuzzy Hash: D7129B30600601EFDB25CF14C888FBABFE9FB56304F184469E5859B2A2CB31EC55EB52

Function 00572711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0057273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0057286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00572900
GetClientRect.USER32(00000000,?), ref: 0057290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00572955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00572964
GetStockObject.GDI32(00000011), ref: 00572974
SelectObject.GDI32(00000000,00000000), ref: 00572978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00572988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00572991
DeleteDC.GDI32(00000000), ref: 0057299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00572A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00572A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00572A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00572A77
GetStockObject.GDI32(00000011), ref: 00572A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00572A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00572A97

Strings

DISPLAY, xrefs: 0057295A
AutoIt v3, xrefs: 005728F8
static, xrefs: 0057294F, 00572A71
msctls_progress32, xrefs: 00572A13

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: bccc4ccaabc2d908c4cf877bfba649baf06854a3009f480614dd3f36e4a7d6b8
Instruction ID: c96318fbd0913d8fa37d4068fc28239dcc34f8655c0a166698e7b3553500aad0
Opcode Fuzzy Hash: bccc4ccaabc2d908c4cf877bfba649baf06854a3009f480614dd3f36e4a7d6b8
Instruction Fuzzy Hash: 53B1AB71A00609AFEB14CF68DC89EAE7BB9FB08714F008519FA14E7291D774ED04DBA4

Function 00564ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00564AED
GetDriveTypeW.KERNEL32(?,0058CB68,?,\\.\,0058CC08), ref: 00564BCA
SetErrorMode.KERNEL32(00000000,0058CB68,?,\\.\,0058CC08), ref: 00564D36

Strings

RAMDisk, xrefs: 00564BF4
\\.\, xrefs: 00564B3F
Unknown, xrefs: 00564BED, 00564C83
1394, xrefs: 00564C9F
Fibre, xrefs: 00564CAD
SSD, xrefs: 00564C4A
MMC, xrefs: 00564CDE
SCSI, xrefs: 00564C8A
FileBackedVirtual, xrefs: 00564CEC
Virtual, xrefs: 00564CE5
ATAPI, xrefs: 00564C91
PhysicalDrive, xrefs: 00564B76
USB, xrefs: 00564CB4
Network, xrefs: 00564C02
SSA, xrefs: 00564CA6
ATA, xrefs: 00564C98
SATA, xrefs: 00564CD0
Fixed, xrefs: 00564C09
CDROM, xrefs: 00564BFB
RAID, xrefs: 00564CBB
Removable, xrefs: 00564C10, 00564C15
iSCSI, xrefs: 00564CC2
SAS, xrefs: 00564CC9

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ab83aea665890af6b409d5ed8bbf296eaa298125b09a75fb52a0580061f7fd5b
Instruction ID: abdd9e493615c8b156ab474982c61aa77b225ac8f769d5e59f4e09800ef7c190
Opcode Fuzzy Hash: ab83aea665890af6b409d5ed8bbf296eaa298125b09a75fb52a0580061f7fd5b
Instruction Fuzzy Hash: 9561BF7170520A9FDB14DF28CA829B97FB0BF44344B24881AF806AB791DB3AED41DF51

Function 005873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00587421
SetTextColor.GDI32(?,?), ref: 00587425
GetSysColorBrush.USER32(0000000F), ref: 0058743B
GetSysColor.USER32(0000000F), ref: 00587446
CreateSolidBrush.GDI32(?), ref: 0058744B
GetSysColor.USER32(00000011), ref: 00587463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00587471
SelectObject.GDI32(?,00000000), ref: 00587482
SetBkColor.GDI32(?,00000000), ref: 0058748B
SelectObject.GDI32(?,?), ref: 00587498
InflateRect.USER32(?,000000FF,000000FF), ref: 005874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0058752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00587554
InflateRect.USER32(?,000000FD,000000FD), ref: 00587572
DrawFocusRect.USER32(?,?), ref: 0058757D
GetSysColor.USER32(00000011), ref: 0058758E
SetTextColor.GDI32(?,00000000), ref: 00587596
DrawTextW.USER32(?,005870F5,000000FF,?,00000000), ref: 005875A8
SelectObject.GDI32(?,?), ref: 005875BF
DeleteObject.GDI32(?), ref: 005875CA
SelectObject.GDI32(?,?), ref: 005875D0
DeleteObject.GDI32(?), ref: 005875D5
SetTextColor.GDI32(?,?), ref: 005875DB
SetBkColor.GDI32(?,?), ref: 005875E5

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: eac49ff31850186416b283767a8aa0b7b53fa03d828944089f4550ede319ee06
Instruction ID: b635b8c66577df2e196505c068f638275697f09e310577eb4aff8e614c734e25
Opcode Fuzzy Hash: eac49ff31850186416b283767a8aa0b7b53fa03d828944089f4550ede319ee06
Instruction Fuzzy Hash: A0615D72900218AFDF01AFA4DC49EAE7FB9FB08320F215515FD15BB2A1D7749940DBA0

Function 00580FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00581128
GetDesktopWindow.USER32 ref: 0058113D
GetWindowRect.USER32(00000000), ref: 00581144
GetWindowLongW.USER32(?,000000F0), ref: 00581199
DestroyWindow.USER32(?), ref: 005811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0058120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0058121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00581232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00581245
IsWindowVisible.USER32(00000000), ref: 005812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005812D0
GetWindowRect.USER32(00000000,?), ref: 005812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0058130E
GetMonitorInfoW.USER32(00000000,?), ref: 00581328
CopyRect.USER32(?,?), ref: 0058133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005813AA

Strings

(, xrefs: 0058131B
0, xrefs: 005810D3
tooltips_class32, xrefs: 005811E6

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 58c2ab1fc626194ab36d0b04000afd8c8a1df2da4e4b80165153ad61eed0dfdb
Instruction ID: f4507934843dcfdd9400fe17f2d55cae5e0ccc6125893996c40aeae0caf64900
Opcode Fuzzy Hash: 58c2ab1fc626194ab36d0b04000afd8c8a1df2da4e4b80165153ad61eed0dfdb
Instruction Fuzzy Hash: E7B18F71604741AFD700DF65C888B6ABFE8FF84354F00891DF99AAB261DB31E845CBA5

Function 00580241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005802E5
_wcslen.LIBCMT ref: 0058031F
_wcslen.LIBCMT ref: 00580389
_wcslen.LIBCMT ref: 005803F1
_wcslen.LIBCMT ref: 00580475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00580504

Part of subcall function 0050F9F2: _wcslen.LIBCMT ref: 0050F9FD

Part of subcall function 0055223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00552258
Part of subcall function 0055223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0055228A

Strings

SELECTINVERT, xrefs: 0058057E
ISSELECTED, xrefs: 005804DD
GETSUBITEMCOUNT, xrefs: 00580384, 0058039F
GETSELECTEDCOUNT, xrefs: 00580470, 0058048B
GETTEXT, xrefs: 005803EC, 00580407
VIEWCHANGE, xrefs: 00580675
SELECTCLEAR, xrefs: 0058052D
DESELECT, xrefs: 0058059C
FINDITEM, xrefs: 00580627
GETITEMCOUNT, xrefs: 00580316, 00580337
SELECTALL, xrefs: 00580515
SELECT, xrefs: 00580548
GETSELECTED, xrefs: 005805E1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5fd080525d0c3fadb134f19d87d40cebf4b0af2879ea46f561e70a0c22fb0646
Instruction ID: 7bafc90c196e7423504a117b36408cd9710611ddd8b73524445f07f8c1ead7a3
Opcode Fuzzy Hash: 5fd080525d0c3fadb134f19d87d40cebf4b0af2879ea46f561e70a0c22fb0646
Instruction Fuzzy Hash: CEE1BD312082059FCB54EF25C45183ABBE2BFC8358B14596DFC96AB2E1DB34ED49CB91

Function 00508891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00508968
GetSystemMetrics.USER32(00000007), ref: 00508970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0050899B
GetSystemMetrics.USER32(00000008), ref: 005089A3
GetSystemMetrics.USER32(00000004), ref: 005089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00508A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00508A3C
GetClientRect.USER32(00000000,000000FF), ref: 00508A5A
GetStockObject.GDI32(00000011), ref: 00508A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00508A81

Part of subcall function 0050912D: GetCursorPos.USER32(?), ref: 00509141
Part of subcall function 0050912D: ScreenToClient.USER32(00000000,?), ref: 0050915E
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000001), ref: 00509183
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000002), ref: 0050919D

SetTimer.USER32(00000000,00000000,00000028,005090FC), ref: 00508AA8

Strings

AutoIt v3 GUI, xrefs: 00508A20

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0e3bd22a1f5efaab04ea2ffe4f6bd99f874f00a6e7980f52658f1579c4f9ccec
Instruction ID: 578b379737658c818a38a3891e20c6e24ce9840c99875cfdfc772fb2456fb907
Opcode Fuzzy Hash: 0e3bd22a1f5efaab04ea2ffe4f6bd99f874f00a6e7980f52658f1579c4f9ccec
Instruction Fuzzy Hash: 5CB16871A0020A9FDF14DFA8CC49FAE3FA5FB49314F104629FA15A7290DB74E840DB65

Function 00550D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551114
Part of subcall function 005510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551120
Part of subcall function 005510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 0055112F
Part of subcall function 005510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551136
Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0055114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00550DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00550E29
GetLengthSid.ADVAPI32(?), ref: 00550E40
GetAce.ADVAPI32(?,00000000,?), ref: 00550E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00550E96
GetLengthSid.ADVAPI32(?), ref: 00550EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00550EB5
HeapAlloc.KERNEL32(00000000), ref: 00550EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00550EDD
CopySid.ADVAPI32(00000000), ref: 00550EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00550F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00550F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00550F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550F6E
HeapFree.KERNEL32(00000000), ref: 00550F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550F7E
HeapFree.KERNEL32(00000000), ref: 00550F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550F8E
HeapFree.KERNEL32(00000000), ref: 00550F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00550FA1
HeapFree.KERNEL32(00000000), ref: 00550FA8

Part of subcall function 00551193: GetProcessHeap.KERNEL32(00000008,00550BB1,?,00000000,?,00550BB1,?), ref: 005511A1
Part of subcall function 00551193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00550BB1,?), ref: 005511A8
Part of subcall function 00551193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00550BB1,?), ref: 005511B7

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5b75120dbce42a3f9311cb501d3cfeedefc3d704784644980b58e8985d887d96
Instruction ID: e8b3512bf88941d0e66f2c0694e97605ff2cfbbee53337223d64fe05573d9cef
Opcode Fuzzy Hash: 5b75120dbce42a3f9311cb501d3cfeedefc3d704784644980b58e8985d887d96
Instruction Fuzzy Hash: DC71487290020AEBDB209FA4DC89BAEBFB8BF14342F145116ED19B6191D7319A09CB70

Function 0057C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0058CC08,00000000,?,00000000,?,?), ref: 0057C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0057C5A4
_wcslen.LIBCMT ref: 0057C5F4
_wcslen.LIBCMT ref: 0057C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0057C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0057C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0057C84D
RegCloseKey.ADVAPI32(?), ref: 0057C881
RegCloseKey.ADVAPI32(00000000), ref: 0057C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0057C960

Strings

REG_SZ, xrefs: 0057C644
REG_MULTI_SZ, xrefs: 0057C6F5
REG_DWORD, xrefs: 0057C804
REG_QWORD, xrefs: 0057C8C3
REG_EXPAND_SZ, xrefs: 0057C5CD
REG_BINARY, xrefs: 0057C913

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a35c04eebb048ae66f34d03070e7666b1c441a3658ec6f164de4a5093112393f
Instruction ID: 639884e61fdb83abf5ab008975249f0d9fdec3260f4efcfd6322ab869e41607f
Opcode Fuzzy Hash: a35c04eebb048ae66f34d03070e7666b1c441a3658ec6f164de4a5093112393f
Instruction Fuzzy Hash: 18127831204201AFDB14DF15D885A2ABBE5FF88358F04885DF98A9B3A2DB35FC45DB85

Function 0058091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005809C6
_wcslen.LIBCMT ref: 00580A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00580A54
_wcslen.LIBCMT ref: 00580A8A
_wcslen.LIBCMT ref: 00580B06
_wcslen.LIBCMT ref: 00580B81

Part of subcall function 0050F9F2: _wcslen.LIBCMT ref: 0050F9FD

Part of subcall function 00552BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00552BFA

Strings

GETTOTALCOUNT, xrefs: 005809F2, 00580A17
ISCHECKED, xrefs: 00580CE1
CHECK, xrefs: 00580A85, 00580AA0
UNCHECK, xrefs: 00580D3E
EXPAND, xrefs: 00580BF8
GETITEMCOUNT, xrefs: 00580C1E
COLLAPSE, xrefs: 00580B01, 00580B1C
EXISTS, xrefs: 00580B7C, 00580B97
SELECT, xrefs: 00580D11
GETTEXT, xrefs: 00580C97
GETSELECTED, xrefs: 00580C4E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: be35b8f69c470c4394506eff390201a59faf313140a224d5b60e22fd2bfe4142
Instruction ID: d8c13c359d4ea6e2df8c9fad8b33dc3f0fb82d427809855e3bae1af2811dd4d9
Opcode Fuzzy Hash: be35b8f69c470c4394506eff390201a59faf313140a224d5b60e22fd2bfe4142
Instruction Fuzzy Hash: 55E1AA312083029FC754EF25C45196EBBE1BF98358F14995DF896AB3A2DB30ED49CB81

Function 0057C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
_wcslen.LIBCMT ref: 0057C9F1
_wcslen.LIBCMT ref: 0057CA68
_wcslen.LIBCMT ref: 0057CA9E
_wcslen.LIBCMT ref: 0057CAF9
_wcslen.LIBCMT ref: 0057CB2F
_wcslen.LIBCMT ref: 0057CB7F

Strings

HKCC, xrefs: 0057CBAC
HKEY_USERS, xrefs: 0057CBDF
HKEY_CURRENT_USER, xrefs: 0057CBBD
HKEY_CURRENT_CONFIG, xrefs: 0057CB79, 0057CB7E
HKU, xrefs: 0057CBF0
HKEY_LOCAL_MACHINE, xrefs: 0057CA62, 0057CA67
HKEY_CLASSES_ROOT, xrefs: 0057CAF3, 0057CAF8
HKLM, xrefs: 0057CA98, 0057CA9D
HKCR, xrefs: 0057CB29, 0057CB2E
HKCU, xrefs: 0057CBCE

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 0b4d25b5260cd80bb013cbf4fca16dbf60fbdab22656f487c73623598bfd0972
Instruction ID: 795f0919b22fdc69ce3c4e789ffbd221f5bd39084191ee1705772777b873e531
Opcode Fuzzy Hash: 0b4d25b5260cd80bb013cbf4fca16dbf60fbdab22656f487c73623598bfd0972
Instruction Fuzzy Hash: E671173261012B8BCB20DE7CE8415FE3F95BBA4754B65852CF86E97284EA30DD84E390

Function 0058833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058835A
_wcslen.LIBCMT ref: 0058836E
_wcslen.LIBCMT ref: 00588391
_wcslen.LIBCMT ref: 005883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00585BF2), ref: 0058844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00588487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00588501
FreeLibrary.KERNEL32(?), ref: 0058850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0058851D
DestroyIcon.USER32(?,?,?,?,?,00585BF2), ref: 0058852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00588549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00588555

Strings

.dll, xrefs: 005883AB
.exe, xrefs: 00588388
.icl, xrefs: 00588368

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a7d777b8b2838e2c4e84804e4718e2ddfa1b4eeedf77f78294f161f9b845c951
Instruction ID: 1f83270afc5b31c5a40ea970c767637fbd0355f559ebdd6601eb09f8d93dc174
Opcode Fuzzy Hash: a7d777b8b2838e2c4e84804e4718e2ddfa1b4eeedf77f78294f161f9b845c951
Instruction Fuzzy Hash: 6661D07250020ABAEB14EF64CC85BFE7BA8FF48711F504609FD15E61D1DB74A984DBA0

Function 004F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 0053519A
#include, xrefs: 004F7847
Unterminated group of comments, xrefs: 0053528C
', xrefs: 00535169
", xrefs: 00535153
#include-once, xrefs: 004F782F
#ce, xrefs: 004F78ED
Cannot parse #include, xrefs: 00535279
#comments-end, xrefs: 004F78D9
#cs, xrefs: 004F7873, 004F78C5
#pragma compile, xrefs: 004F77D3
#OnAutoItStartRegister, xrefs: 004F7817
#notrayicon, xrefs: 004F77E7
#comments-start, xrefs: 004F785F, 004F78B1
#requireadmin, xrefs: 004F77FF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1720baf722516e20758521a8a89c6c17747e291255cd45144d879dc9e1fd8302
Instruction ID: 5fb17b156f1ea2fbf15d62a2342c937f9929ea4cacd7625c59cd08175db9a0e1
Opcode Fuzzy Hash: 1720baf722516e20758521a8a89c6c17747e291255cd45144d879dc9e1fd8302
Instruction Fuzzy Hash: D681DB7160460ABBEB21BF60CC46FBF3FA8BF55340F044025FA05AA196EB78D951C7A5

Function 00563E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00563EF8
_wcslen.LIBCMT ref: 00563F03
_wcslen.LIBCMT ref: 00563F5A
_wcslen.LIBCMT ref: 00563F98
GetDriveTypeW.KERNEL32(?), ref: 00563FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0056401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00564059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00564087

Strings

type cdaudio alias cd wait, xrefs: 00564001
closed, xrefs: 00563F08, 00563F2D, 00563F46, 00563F7E, 00563F97
open , xrefs: 00563FE5
close, xrefs: 00563EFE, 00563F18
open, xrefs: 00563F54, 00563F59
wait, xrefs: 00564044
set cd door , xrefs: 00564028
close cd wait, xrefs: 00564072

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4324d130f047bb48ae519cf7a6f88d0de859216d3781890ca53f780a17dec631
Instruction ID: 936635a883557cac9de792580a2aabfffb33282c68d91ef7104077e329383435
Opcode Fuzzy Hash: 4324d130f047bb48ae519cf7a6f88d0de859216d3781890ca53f780a17dec631
Instruction Fuzzy Hash: 5F71D2326042169FC310EF25C8818BABBF4FF94768F10492DF99597291EB39ED49CB51

Function 00555A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00555A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00555A40
SetWindowTextW.USER32(?,?), ref: 00555A57
GetDlgItem.USER32(?,000003EA), ref: 00555A6C
SetWindowTextW.USER32(00000000,?), ref: 00555A72
GetDlgItem.USER32(?,000003E9), ref: 00555A82
SetWindowTextW.USER32(00000000,?), ref: 00555A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00555AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00555AC3
GetWindowRect.USER32(?,?), ref: 00555ACC
_wcslen.LIBCMT ref: 00555B33
SetWindowTextW.USER32(?,?), ref: 00555B6F
GetDesktopWindow.USER32 ref: 00555B75
GetWindowRect.USER32(00000000), ref: 00555B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00555BD3
GetClientRect.USER32(?,?), ref: 00555BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00555C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00555C2F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: eda6efc24bcae25fd7c42fb223a14bb174c1dfb3f8882587fb523fd6634b1587
Instruction ID: 7e63453b39afe99209650ed586d64b244511bbe35e1216d81141d27ac7483ece
Opcode Fuzzy Hash: eda6efc24bcae25fd7c42fb223a14bb174c1dfb3f8882587fb523fd6634b1587
Instruction Fuzzy Hash: 6E718031900B059FDB20DFA9CD69A6EBFF5FF48715F100919E942A25A0E774E948CB50

Function 0056FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0056FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0056FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0056FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0056FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0056FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0056FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0056FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0056FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0056FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0056FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0056FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0056FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0056FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0056FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0056FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0056FECC
GetCursorInfo.USER32(?), ref: 0056FEDC
GetLastError.KERNEL32 ref: 0056FF1E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e04b1b4fd236ab0a233b2e8aa6284e51db8aa3ba8cda688c098bc754e6cd6762
Instruction ID: 7c02cd48d2abdf59725d8f42343b773a0573110d4bbb6508b74de753c029fe9e
Opcode Fuzzy Hash: e04b1b4fd236ab0a233b2e8aa6284e51db8aa3ba8cda688c098bc754e6cd6762
Instruction Fuzzy Hash: 104124B0D043196ADB10DFBA9C8585EFFE8FF04754B50452AE51DE7281DB789901CF91

Function 005530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0055318D
_wcslen.LIBCMT ref: 005531F8

Strings

[[, xrefs: 0055339A
NAME, xrefs: 00553335, 00553346
TEXT, xrefs: 0055347C
CLASSNN, xrefs: 005531F3, 00553204
REGEXPCLASS, xrefs: 00553255, 00553266
INSTANCE, xrefs: 00553453
CLASS, xrefs: 00553188, 005531A5

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[[
API String ID: 176396367-478666498
Opcode ID: 01efc1ed3869a616485bb058cee99f8f66592596084f38c49efa2cd03c4ccbe1
Instruction ID: 47fb182f5804c4f7322fa9917e222d69e47cc30f01803daef69936ed5406e1d8
Opcode Fuzzy Hash: 01efc1ed3869a616485bb058cee99f8f66592596084f38c49efa2cd03c4ccbe1
Instruction Fuzzy Hash: 83E1D732A00516ABCF189F74C4657EDBFB0BF54791F54852BE85AA7240EB30AE8DC790

Function 005100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005100C6

Part of subcall function 005100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005C070C,00000FA0,0BA54D2D,?,?,?,?,005323B3,000000FF), ref: 0051011C
Part of subcall function 005100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005323B3,000000FF), ref: 00510127
Part of subcall function 005100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005323B3,000000FF), ref: 00510138
Part of subcall function 005100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0051014E
Part of subcall function 005100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0051015C
Part of subcall function 005100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0051016A
Part of subcall function 005100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00510195
Part of subcall function 005100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005101A0

___scrt_fastfail.LIBCMT ref: 005100E7

Part of subcall function 005100A3: __onexit.LIBCMT ref: 005100A9

Strings

InitializeConditionVariable, xrefs: 00510148
WakeAllConditionVariable, xrefs: 00510162
kernel32.dll, xrefs: 00510133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00510122
SleepConditionVariableCS, xrefs: 00510154

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 414aedcce3681d2d055f38eab5075882a27be3b44decb7248ca2617e2a0b0965
Instruction ID: 7214b2f3ff1f4fab3dcfe755b73f254b80200af5b45fa4a09f9cb7c16ef04e9a
Opcode Fuzzy Hash: 414aedcce3681d2d055f38eab5075882a27be3b44decb7248ca2617e2a0b0965
Instruction Fuzzy Hash: 1B212532681711ABF7106BA4AC4DBAA3FD4FB58B50F002129FD01F62D1DAB49884CBA0

Function 005644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0058CC08), ref: 00564527
_wcslen.LIBCMT ref: 0056453B
_wcslen.LIBCMT ref: 00564599
_wcslen.LIBCMT ref: 005645F4
_wcslen.LIBCMT ref: 0056463F
_wcslen.LIBCMT ref: 005646A7

Part of subcall function 0050F9F2: _wcslen.LIBCMT ref: 0050F9FD

GetDriveTypeW.KERNEL32(?,005B6BF0,00000061), ref: 00564743

Strings

removable, xrefs: 005645EA, 005645EF
unknown, xrefs: 00564708
ramdisk, xrefs: 005646F1
network, xrefs: 0056469D, 005646A2
fixed, xrefs: 00564635, 0056463A
cdrom, xrefs: 0056458F, 00564594
all, xrefs: 00564531, 00564536

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 4f8cf011032a0db4232f3eb37a5af17ec095562f5e077e1d23bc8fb6ab702638
Instruction ID: c09853269059c1aab425d6054fcba6ec776bec035d12781b7ff83991ee1e53ed
Opcode Fuzzy Hash: 4f8cf011032a0db4232f3eb37a5af17ec095562f5e077e1d23bc8fb6ab702638
Instruction Fuzzy Hash: 31B1CC716083029FC720EF28C890A7ABBE5BFA5764F504A1DF596C7291E734D845CFA2

Function 0058911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

DragQueryPoint.SHELL32(?,?), ref: 00589147

Part of subcall function 00587674: ClientToScreen.USER32(?,?), ref: 0058769A
Part of subcall function 00587674: GetWindowRect.USER32(?,?), ref: 00587710
Part of subcall function 00587674: PtInRect.USER32(?,?,00588B89), ref: 00587720

SendMessageW.USER32(?,000000B0,?,?), ref: 005891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00589225
SendMessageW.USER32(?,000000B0,?,?), ref: 0058923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00589255
SendMessageW.USER32(?,000000B1,?,?), ref: 00589277
DragFinish.SHELL32(?), ref: 0058927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00589371

Strings

@GUI_DRAGFILE, xrefs: 00589320
p#\, xrefs: 005892BB
@GUI_DROPID, xrefs: 0058929E
@GUI_DRAGID, xrefs: 005892E9

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#\
API String ID: 221274066-311701890
Opcode ID: cbfff0eb22217967d0bd1c6a6411eb6f8ab6a7e4bf9355463f89d41371e72178
Instruction ID: 297453613279c14f9231f8ff90aaf2085a0e764671f7e19a8d7098adc6e80274
Opcode Fuzzy Hash: cbfff0eb22217967d0bd1c6a6411eb6f8ab6a7e4bf9355463f89d41371e72178
Instruction Fuzzy Hash: D0617A71108305AFC701EF55DC85DABBFE8FF99350F00092EF996A61A1DB309A49CB66

Function 004F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005C1990), ref: 00532F8D
GetMenuItemCount.USER32(005C1990), ref: 0053303D
GetCursorPos.USER32(?), ref: 00533081
SetForegroundWindow.USER32(00000000), ref: 0053308A
TrackPopupMenuEx.USER32(005C1990,00000000,?,00000000,00000000,00000000), ref: 0053309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005330A9

Strings

0, xrefs: 004F327D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 32e67d75580414520226146715748ed1107143794d9f380ebd7f152e2cb393b6
Instruction ID: b12becd10b0b385cb7d5e09a723501daac3185b65fe4ee1a10376ad2bba81fd7
Opcode Fuzzy Hash: 32e67d75580414520226146715748ed1107143794d9f380ebd7f152e2cb393b6
Instruction Fuzzy Hash: 8A714A3064060ABEFB259F64CC4EFAABF64FF01764F204216FA246A1E1C7B1AD14DB55

Function 00586CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00586DEB

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00586E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00586E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00586E94
DestroyWindow.USER32(?), ref: 00586EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004F0000,00000000), ref: 00586EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00586EFD
GetDesktopWindow.USER32 ref: 00586F16
GetWindowRect.USER32(00000000), ref: 00586F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00586F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00586F4D

Part of subcall function 00509944: GetWindowLongW.USER32(?,000000EB), ref: 00509952

Strings

0, xrefs: 00586D98
tooltips_class32, xrefs: 00586E58, 00586EDD

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 119b6afcc6228670b333aaa1f23fc6b7b9e93060f678e4bd8ae864c1e130f508
Instruction ID: 7236fe08f8c3aadb0d14d2ead1541dbf4381203ef2b27af449fac9b832141a5f
Opcode Fuzzy Hash: 119b6afcc6228670b333aaa1f23fc6b7b9e93060f678e4bd8ae864c1e130f508
Instruction Fuzzy Hash: AE715974104244AFDB21DF28D888EAABFE9FB99304F04041DFA99A7261D770E909DB25

Function 0056C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0056C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0056C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0056C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0056C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0056C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0056C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0056C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0056C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0056C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0056C5F0
InternetCloseHandle.WININET(00000000), ref: 0056C5FB

Strings

, xrefs: 0056C575

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 02c76b4243156f32f76f20962d24ed12fd52bb2350450b23a0fe2889b91a0a6c
Instruction ID: 06760862d64b5be3f34b452edf4b5075c09744051fbd157966bebb87d6ca59ab
Opcode Fuzzy Hash: 02c76b4243156f32f76f20962d24ed12fd52bb2350450b23a0fe2889b91a0a6c
Instruction Fuzzy Hash: 2B513CB1600209BFDB219F64CD48ABB7FBCFB28755F00441AF986D7650DB34E948AB60

Function 0058856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00588592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885BA
GlobalLock.KERNEL32(00000000), ref: 005885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885D7
GlobalUnlock.KERNEL32(00000000), ref: 005885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0058FC38,?), ref: 00588611
GlobalFree.KERNEL32(00000000), ref: 00588621
GetObjectW.GDI32(?,00000018,?), ref: 00588641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00588671
DeleteObject.GDI32(?), ref: 00588699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005886AF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9fd8ff8c7bf44ed0a538fe9366ad1a7498e477fa2d3aa7fbbe252deda6b96001
Instruction ID: 68adf4142fe9f92b6e1e9d87d4f5323a21c1f3068f0e669af7142356b47ae068
Opcode Fuzzy Hash: 9fd8ff8c7bf44ed0a538fe9366ad1a7498e477fa2d3aa7fbbe252deda6b96001
Instruction Fuzzy Hash: 4E41E875600204AFDB119FA5DC88EAA7FB9FF99B11F144058FD46E72A0DB309905DB60

Function 005614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00561502
VariantCopy.OLEAUT32(?,?), ref: 0056150B
VariantClear.OLEAUT32(?), ref: 00561517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00561657
VariantInit.OLEAUT32(?), ref: 00561708
SysFreeString.OLEAUT32(?), ref: 0056178C
VariantClear.OLEAUT32(?), ref: 005617D8
VariantClear.OLEAUT32(?), ref: 005617E7
VariantInit.OLEAUT32(00000000), ref: 00561823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00561625
Default, xrefs: 005616AF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8d8b2ecadb27a206779dc12bc05e885b98aee25f90e5cc63562636d39502c54e
Instruction ID: 44db7ebd282156a283b273b47bdaac8ad1d32900e8adbb28b6783b801ca88e25
Opcode Fuzzy Hash: 8d8b2ecadb27a206779dc12bc05e885b98aee25f90e5cc63562636d39502c54e
Instruction Fuzzy Hash: FED1FE72A00A05DBDB109F65E888B7DFFB5BF84700F18845AE807AB590EB34EC44DB65

Function 0057B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0057B80A
RegCloseKey.ADVAPI32(?), ref: 0057B87E
RegCloseKey.ADVAPI32(?), ref: 0057B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0057B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0057B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0057B922
FreeLibrary.KERNEL32(00000000), ref: 0057B983
RegCloseKey.ADVAPI32(00000000), ref: 0057B994

Strings

RegDeleteKeyExW, xrefs: 0057B8FE
advapi32.dll, xrefs: 0057B8ED

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 37cf996252fc61956de7b2125b2e618f1f15151756300b516bfb35637ae3d06d
Instruction ID: 9030c368a54c1078397885558127f1706d480ca8cf502026b100f8d20d3cc0ea
Opcode Fuzzy Hash: 37cf996252fc61956de7b2125b2e618f1f15151756300b516bfb35637ae3d06d
Instruction Fuzzy Hash: F8C17B30204201AFE714DF15D494F2ABBE5FF84308F14C55DE5AA8B2A2CB75ED45DB92

Function 0057255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005725E8
CreateCompatibleDC.GDI32(?), ref: 005725F4
SelectObject.GDI32(00000000,?), ref: 00572601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0057266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005726D0
SelectObject.GDI32(?,?), ref: 005726D8
DeleteObject.GDI32(?), ref: 005726E1
DeleteDC.GDI32(?), ref: 005726E8
ReleaseDC.USER32(00000000,?), ref: 005726F3

Strings

(, xrefs: 0057268D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7e05a9df23b9244dcf1b835b47bdb32973dacf8465902a1a614a773f697637e4
Instruction ID: d364579aef1b5c130a4d34de4023364ab397ff41a5710573fea2c5fc1839e8ff
Opcode Fuzzy Hash: 7e05a9df23b9244dcf1b835b47bdb32973dacf8465902a1a614a773f697637e4
Instruction Fuzzy Hash: E061D475D00219EFCF14CFA4D888AAEBFB5FF58310F20852AE95AA7250D770A951DF60

Function 0052DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0052DAA1

Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D659
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D66B
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D67D
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D68F
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6A1
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6B3
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6C5
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6D7
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6E9
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6FB
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D70D
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D71F
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D731

_free.LIBCMT ref: 0052DA96

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052DAB8
_free.LIBCMT ref: 0052DACD
_free.LIBCMT ref: 0052DAD8
_free.LIBCMT ref: 0052DAFA
_free.LIBCMT ref: 0052DB0D
_free.LIBCMT ref: 0052DB1B
_free.LIBCMT ref: 0052DB26
_free.LIBCMT ref: 0052DB5E
_free.LIBCMT ref: 0052DB65
_free.LIBCMT ref: 0052DB82
_free.LIBCMT ref: 0052DB9A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5d8db694c829cea385bf48e601999551412684d65b4a7c6f82976c184f53439f
Instruction ID: 3132f7810d2adfdbb71ac163df3cf532937ff3990c1d180e35d374a8add94623
Opcode Fuzzy Hash: 5d8db694c829cea385bf48e601999551412684d65b4a7c6f82976c184f53439f
Instruction Fuzzy Hash: B9315736604626AFEB21AB38F849B5ABFF9FF46310F554429E449D71D1DB31AC808B30

Function 0055365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0055369C
_wcslen.LIBCMT ref: 005536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00553797
GetClassNameW.USER32(?,?,00000400), ref: 0055380C
GetDlgCtrlID.USER32(?), ref: 0055385D
GetWindowRect.USER32(?,?), ref: 00553882
GetParent.USER32(?), ref: 005538A0
ScreenToClient.USER32(00000000), ref: 005538A7
GetClassNameW.USER32(?,?,00000100), ref: 00553921
GetWindowTextW.USER32(?,?,00000400), ref: 0055395D

Strings

%s%u, xrefs: 00553734

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 41fa51c99d691c560267f6bbe8801660c910f0cfcbe28a76a21e4bd020c98f0d
Instruction ID: 6ff3d5cd118a260b5ee239ab7c689a11c2ca745aaf26a73489b1ec68766293ea
Opcode Fuzzy Hash: 41fa51c99d691c560267f6bbe8801660c910f0cfcbe28a76a21e4bd020c98f0d
Instruction Fuzzy Hash: 0791B4B1204606AFD719DF24C8A5BAAFBA8FF44391F00452AFD99D2150DB30EA5DCB91

Function 00554954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00554994
GetWindowTextW.USER32(?,?,00000400), ref: 005549DA
_wcslen.LIBCMT ref: 005549EB
CharUpperBuffW.USER32(?,00000000), ref: 005549F7
_wcsstr.LIBVCRUNTIME ref: 00554A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00554A64
GetWindowTextW.USER32(?,?,00000400), ref: 00554A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00554AE6
GetClassNameW.USER32(?,?,00000400), ref: 00554B20
GetWindowRect.USER32(?,?), ref: 00554B8B

Strings

ThumbnailClass, xrefs: 00554A6F, 00554AF1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 362f04851c6eee32384bdf440b27cc0441ce891ffac0c9a5a966fd2586eca813
Instruction ID: b97bca61f882e052335a64c02c4cc0eeff8719c9b146d59b81370af5b7d5bdeb
Opcode Fuzzy Hash: 362f04851c6eee32384bdf440b27cc0441ce891ffac0c9a5a966fd2586eca813
Instruction Fuzzy Hash: 9F91AD310042069FDF04DF14C995BAA7BE9FF84359F04846AFD859A096EB34ED89CFA1

Function 00588D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00588D5A
GetFocus.USER32 ref: 00588D6A
GetDlgCtrlID.USER32(00000000), ref: 00588D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00588E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00588ECF
GetMenuItemCount.USER32(?), ref: 00588EEC
GetMenuItemID.USER32(?,00000000), ref: 00588EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00588F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00588F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00588FA1

Strings

0, xrefs: 00588E9F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 4d58ad0e5fd3caef7c2df47b01d8e6ee52015758863cc32bdf03d9a65a9f3d5c
Instruction ID: 158a9e8ad7234043043faf66f900405ee645ea896051b8eed848a4868b4c723f
Opcode Fuzzy Hash: 4d58ad0e5fd3caef7c2df47b01d8e6ee52015758863cc32bdf03d9a65a9f3d5c
Instruction Fuzzy Hash: 5F81AD715083029FDB20EF24D884ABB7FE9FB98314F540929FE84A7291DB70D905DBA1

Function 0055DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0055DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0055DC46
_wcslen.LIBCMT ref: 0055DC50
_wcsstr.LIBVCRUNTIME ref: 0055DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0055DCBC

Strings

%u.%u.%u.%u, xrefs: 0055DD9A
04090000, xrefs: 0055DCF2
StringFileInfo\, xrefs: 0055DC8F
\VarFileInfo\Translation, xrefs: 0055DCB4
DefaultLangCodepage, xrefs: 0055DD1F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4797538a170cd07ca18aa60890eff2fa09491e7d24fc5ed8b58dc8dfb1d51420
Instruction ID: d0e0da0ce07a7831de485e213de961f5b41fd0701b00ddf217ae956c7a362739
Opcode Fuzzy Hash: 4797538a170cd07ca18aa60890eff2fa09491e7d24fc5ed8b58dc8dfb1d51420
Instruction Fuzzy Hash: 084106329402067AEB20A764DC0BEFF7FBCFF95711F14006AFD00A6182EA749A4497B5

Function 0057CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0057CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0057CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0057CD48

Part of subcall function 0057CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0057CCAA
Part of subcall function 0057CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0057CCBD
Part of subcall function 0057CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0057CCCF
Part of subcall function 0057CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0057CD05
Part of subcall function 0057CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0057CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0057CCF3

Strings

RegDeleteKeyExW, xrefs: 0057CCC9
advapi32.dll, xrefs: 0057CCB8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: c75d231ecef21b275fb3c4d87f07f7c871bad016307008fca59c819b0a7faf76
Instruction ID: 507885beb4fe42b34e85c5d699a78db9ef6602e662d8099f944d5f4acbd9e3d4
Opcode Fuzzy Hash: c75d231ecef21b275fb3c4d87f07f7c871bad016307008fca59c819b0a7faf76
Instruction Fuzzy Hash: A9316971901129BBDB219B50EC88EEFBF7CFF55740F004169A90AE6240DA309E49EBB0

Function 00563D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00563D40
_wcslen.LIBCMT ref: 00563D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00563D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00563DBE
RemoveDirectoryW.KERNEL32(?), ref: 00563DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00563E55
CloseHandle.KERNEL32(00000000), ref: 00563E60
CloseHandle.KERNEL32(00000000), ref: 00563E6B

Strings

:, xrefs: 00563D82
\, xrefs: 00563D77
\??\%s, xrefs: 00563D5B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 0894231b8f33c7628c1d1dcd7d58be5f84d2dac3c8e1582c7829fc24a29c63f5
Instruction ID: c93d91a8301436d6f7e373b88c48cbb40d9e512784aa6e69aefc228f595bcffd
Opcode Fuzzy Hash: 0894231b8f33c7628c1d1dcd7d58be5f84d2dac3c8e1582c7829fc24a29c63f5
Instruction Fuzzy Hash: 8331737590010A6BDB219BA0DC49FEF7BBCFF89740F1041A5F915E6090EB7497449B34

Function 0055E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0055E6B4

Part of subcall function 0050E551: timeGetTime.WINMM(?,?,0055E6D4), ref: 0050E555

Sleep.KERNEL32(0000000A), ref: 0055E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0055E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0055E727
SetActiveWindow.USER32 ref: 0055E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0055E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0055E773
Sleep.KERNEL32(000000FA), ref: 0055E77E
IsWindow.USER32 ref: 0055E78A
EndDialog.USER32(00000000), ref: 0055E79B

Strings

BUTTON, xrefs: 0055E719

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 75b5fe7c5683050fcb8c64ccc3d0aaa761cd527a575d0f7ae8713213ae9e7d41
Instruction ID: 07f21285ec178ea6456d70ebf8ce4f11ced276430ec699f4afe879cf49f6ea3e
Opcode Fuzzy Hash: 75b5fe7c5683050fcb8c64ccc3d0aaa761cd527a575d0f7ae8713213ae9e7d41
Instruction Fuzzy Hash: 97217F70200641AFEB045B21EC9AE253E69FB6578AF101426FC55915A1DF71AD4CBB34

Function 0055E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0055EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0055EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0055EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0055EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0055EAA7

Strings

alias PlayMe, xrefs: 0055EA36
close PlayMe, xrefs: 0055EA6E, 0055EA9B
open , xrefs: 0055EA0C
play PlayMe wait, xrefs: 0055EA91
status PlayMe mode, xrefs: 0055EA58
play PlayMe, xrefs: 0055EAA2

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d6707a75a984902bca7762be9904e715608b64ca5abeb4b05b9583bb5014c39e
Instruction ID: a37e4975e6df8b2a116412817c23db11f883e0a14b1e40779f0a605f60434cdf
Opcode Fuzzy Hash: d6707a75a984902bca7762be9904e715608b64ca5abeb4b05b9583bb5014c39e
Instruction Fuzzy Hash: 68114F31A5026979D724A7B2DC5AEFF6EBCFBD1B44F00042AB911A20D1EEB41A49C5B0

Function 00555CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00555CE2
GetWindowRect.USER32(00000000,?), ref: 00555CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00555D59
GetDlgItem.USER32(?,00000002), ref: 00555D69
GetWindowRect.USER32(00000000,?), ref: 00555D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00555DCF
GetDlgItem.USER32(?,000003E9), ref: 00555DDD
GetWindowRect.USER32(00000000,?), ref: 00555DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00555E31
GetDlgItem.USER32(?,000003EA), ref: 00555E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00555E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00555E67

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 34d04da8f13b62f3db7c0d03a067468c479a7dad1eed6fe2e7f987f968eb003f
Instruction ID: b64a62d7fe92246abb30c17a8e8adcbefe9f65258d2b3b416616ae9fc615bbfe
Opcode Fuzzy Hash: 34d04da8f13b62f3db7c0d03a067468c479a7dad1eed6fe2e7f987f968eb003f
Instruction Fuzzy Hash: 1B510071B00605AFDB18CF69DD99AAE7BB9FF58301F148129F916E6290E7709E04CB60

Function 00508BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00508F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00508BE8,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 00508FC5

DestroyWindow.USER32(?), ref: 00508C81
KillTimer.USER32(00000000,?,?,?,?,00508BBA,00000000,?), ref: 00508D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00546973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 005469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 005469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00508BBA,00000000), ref: 005469D4
DeleteObject.GDI32(00000000), ref: 005469E6

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 453147b05fac14e63d8956c58a96670cb693f4ca90f6932aa3e1438e1cba04af
Instruction ID: f1a137b2361a3f8634e2fcbc48d2e27fec38b5b7bc0e2b59394d601ae193091c
Opcode Fuzzy Hash: 453147b05fac14e63d8956c58a96670cb693f4ca90f6932aa3e1438e1cba04af
Instruction Fuzzy Hash: B961CD31002A01DFDB259F14D948F797FF1FB62316F14591CE082AA9A0CB71AC88EF65

Function 00509838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00509944: GetWindowLongW.USER32(?,000000EB), ref: 00509952

GetSysColor.USER32(0000000F), ref: 00509862

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c52b2e7df1fea76b5835c81157511b75689bcd9ac9b05b8699f207ee3cd1e19a
Instruction ID: 849e5d1319a728aebdd5be3e7a7ac250adb55554f0fa0c0972ad1b6476960267
Opcode Fuzzy Hash: c52b2e7df1fea76b5835c81157511b75689bcd9ac9b05b8699f207ee3cd1e19a
Instruction Fuzzy Hash: 5F41BF71104644AFDB205F389C88BBD3FA5BB56330F148655F9A29B2E7D7309C42EB60

Function 00528D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.Q, xrefs: 0052903A, 00528FD0, 00528FF2

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: .Q
API String ID: 0-3049930668
Opcode ID: 96dc7c2d1db751bda353c358a901cd92db1beba800c1833f992888c55c988da1
Instruction ID: 6da3e753f1948f8d6232ba48cb20cf4995b2038a1201c7fded3c6a915562d8dc
Opcode Fuzzy Hash: 96dc7c2d1db751bda353c358a901cd92db1beba800c1833f992888c55c988da1
Instruction Fuzzy Hash: B4C1F479E04269AFDB11DFE8E849BADBFB4BF5A310F044099E415A73D2CB309941CB61

Function 005596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0053F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00559717
LoadStringW.USER32(00000000,?,0053F7F8,00000001), ref: 00559720

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0053F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00559742
LoadStringW.USER32(00000000,?,0053F7F8,00000001), ref: 00559745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00559866

Strings

Error: , xrefs: 0055981D
^ ERROR, xrefs: 005597FB
%s (%d) : ==> %s: %s %s, xrefs: 0055984A
Line %d (File "%s"):, xrefs: 0055978F
Line %d:, xrefs: 005597A0

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 43c433c53bb4b13d46c55b43f255f3b7132ffd0fa7430491ea2c7145a44027d9
Instruction ID: f03f92ffad9a2d6f2f674b398bd63f560f224ca3f423971fb2183cf3ea3d9f5b
Opcode Fuzzy Hash: 43c433c53bb4b13d46c55b43f255f3b7132ffd0fa7430491ea2c7145a44027d9
Instruction Fuzzy Hash: 7F414E7280021DAACF04FBA1CD96EFE7B78AF54745F10042AFA0572091EB396F48CB65

Function 005506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00550804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0055082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00550837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0055083C

Strings

\CLSID, xrefs: 00550724
\IPC$, xrefs: 00550784
SOFTWARE\Classes\, xrefs: 0055070E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4052af2a181ef8203d98faf10f09ea47f43acac36e9ba5a6cbb93b06630fd1c1
Instruction ID: b89f2ded6ca2e09304887ac73aa7bfdb65c8e44e04996d91e9cb79030f7090d3
Opcode Fuzzy Hash: 4052af2a181ef8203d98faf10f09ea47f43acac36e9ba5a6cbb93b06630fd1c1
Instruction Fuzzy Hash: F541197181022DABDF15EF95DC95DFDBB78BF04384F04412AE901A31A0EB34AD18CBA0

Function 00573C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00573C5C
CoInitialize.OLE32(00000000), ref: 00573C8A
CoUninitialize.OLE32 ref: 00573C94
_wcslen.LIBCMT ref: 00573D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00573DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00573ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00573F0E
CoGetObject.OLE32(?,00000000,0058FB98,?), ref: 00573F2D
SetErrorMode.KERNEL32(00000000), ref: 00573F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00573FC4
VariantClear.OLEAUT32(?), ref: 00573FD8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d6ef8145e5a39745aa39872aae023a50513b0fd1e7fd72c15f398bf16809ce3e
Instruction ID: c8d6e5a74afe0695ae56108ac887bb82ed4813b881fe312eaa3445f5689b81a8
Opcode Fuzzy Hash: d6ef8145e5a39745aa39872aae023a50513b0fd1e7fd72c15f398bf16809ce3e
Instruction Fuzzy Hash: 61C168716083059FD700DF68D88492BBBE9FF89798F10891DF98A9B250D731EE05EB52

Function 00567A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00567AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00567B8F
SHGetDesktopFolder.SHELL32(?), ref: 00567BA3
CoCreateInstance.OLE32(0058FD08,00000000,00000001,005B6E6C,?), ref: 00567BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00567C74
CoTaskMemFree.OLE32(?,?), ref: 00567CCC
SHBrowseForFolderW.SHELL32(?), ref: 00567D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00567D7A
CoTaskMemFree.OLE32(00000000), ref: 00567D81
CoTaskMemFree.OLE32(00000000), ref: 00567DD6
CoUninitialize.OLE32 ref: 00567DDC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 3219b263aac92372c284743a71fbbb168366769fd2db4ec52e7b5f7431af9ea6
Instruction ID: 5580905e1ad418c0731f0704c5639c55bad287c87dcd94b641da7d33f3dc1623
Opcode Fuzzy Hash: 3219b263aac92372c284743a71fbbb168366769fd2db4ec52e7b5f7431af9ea6
Instruction Fuzzy Hash: 69C12C75A04109AFDB14DFA4C884DAEBBF9FF48308B148499E919EB361D734EE45CB90

Function 0058541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00585504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00585515
CharNextW.USER32(00000158), ref: 00585544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00585585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0058559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005855AC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e41c9a12a0f2df1c1f84553764bc2c996838cb50e0c9db0274193560bc1afdbe
Instruction ID: 42745b04112eaceb1a2295a11612348d0051d403b9466b2bbae39519b7a54e72
Opcode Fuzzy Hash: e41c9a12a0f2df1c1f84553764bc2c996838cb50e0c9db0274193560bc1afdbe
Instruction Fuzzy Hash: EF618A30900609ABDF11AFA5CC85AFE7FB9FF09321F104555FD25BA2A0E7748A84DB60

Function 0054FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0054FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0054FB08
VariantInit.OLEAUT32(?), ref: 0054FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0054FB3A
VariantCopy.OLEAUT32(?,?), ref: 0054FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0054FBA1
VariantClear.OLEAUT32(?), ref: 0054FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0054FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0054FBCC
VariantClear.OLEAUT32(?), ref: 0054FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0054FBE9

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d30bfae2090720c6d33ed5f6364942a74664e344f5da4152ac1834491f151cf6
Instruction ID: 14ef363ed0d7c7d8392ce246e92bd0a1c8cb8720e3406a8e5070852733e0b5c8
Opcode Fuzzy Hash: d30bfae2090720c6d33ed5f6364942a74664e344f5da4152ac1834491f151cf6
Instruction Fuzzy Hash: 17415F35A002199FCF00DF68D858DEEBFB9FF58349F008069E905A7261DB30A945DBA0

Function 00559C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00559CA1
GetAsyncKeyState.USER32(000000A0), ref: 00559D22
GetKeyState.USER32(000000A0), ref: 00559D3D
GetAsyncKeyState.USER32(000000A1), ref: 00559D57
GetKeyState.USER32(000000A1), ref: 00559D6C
GetAsyncKeyState.USER32(00000011), ref: 00559D84
GetKeyState.USER32(00000011), ref: 00559D96
GetAsyncKeyState.USER32(00000012), ref: 00559DAE
GetKeyState.USER32(00000012), ref: 00559DC0
GetAsyncKeyState.USER32(0000005B), ref: 00559DD8
GetKeyState.USER32(0000005B), ref: 00559DEA

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cc5bac603b5b1c48ed66c741de47e60e680be53e9a7d56faba04111d2c374b8f
Instruction ID: b131d0a18d2adf2eee566e6cfffe4f82201d46d02aa55d3ea4681ca127e4720a
Opcode Fuzzy Hash: cc5bac603b5b1c48ed66c741de47e60e680be53e9a7d56faba04111d2c374b8f
Instruction Fuzzy Hash: 0B4196345047C9A9FF31966488253B5BEB07F21345F08805BDEC65A5C2EBADADCCC7A2

Function 0057055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005705BC
inet_addr.WSOCK32(?), ref: 0057061C
gethostbyname.WSOCK32(?), ref: 00570628
IcmpCreateFile.IPHLPAPI ref: 00570636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005707B9
WSACleanup.WSOCK32 ref: 005707BF

Strings

Ping, xrefs: 00570676

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 96e9db07a11e883696a76afcba9f907b60612fda536246ed88658f9722e2f9a9
Instruction ID: c6abc6d48119ac8fcd75b7c1705ba48c759875c691844fefb77987c6fcb9ef0a
Opcode Fuzzy Hash: 96e9db07a11e883696a76afcba9f907b60612fda536246ed88658f9722e2f9a9
Instruction Fuzzy Hash: C1917835604201EFD324DF15E888B2ABFE0FB84318F14D9A9E4699B6A2C734EC45DF91

Function 00578CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00578CF3

Part of subcall function 00558E54: _wcslen.LIBCMT ref: 00558E77

_wcslen.LIBCMT ref: 00578D4E
_wcslen.LIBCMT ref: 00578D9C
_wcslen.LIBCMT ref: 00578DDC
_wcslen.LIBCMT ref: 00578E6E

Strings

stdcall, xrefs: 00578DD6, 00578DDB
winapi, xrefs: 00578D96, 00578D9B
cdecl, xrefs: 00578D48, 00578D4D
none, xrefs: 00578E65, 00578E6A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a9429416473a91c52f00b81e539bf3149808cba801a1a074082f90ebf3bfca30
Instruction ID: ed6bd85abf77e9c0e31a6fdc358977a95cfa3f2dbe234a835ca559eeeabe48a2
Opcode Fuzzy Hash: a9429416473a91c52f00b81e539bf3149808cba801a1a074082f90ebf3bfca30
Instruction Fuzzy Hash: A851D731A405169BCF24DF6CD8449BEBBA5BF64324B20822AE92AE73C4DF34DD40D790

Function 0057372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00573774
CoUninitialize.OLE32 ref: 0057377F
CoCreateInstance.OLE32(?,00000000,00000017,0058FB78,?), ref: 005737D9
IIDFromString.OLE32(?,?), ref: 0057384C
VariantInit.OLEAUT32(?), ref: 005738E4
VariantClear.OLEAUT32(?), ref: 00573936

Strings

Failed to create object, xrefs: 005737E4, 0057389A
Invalid parameter, xrefs: 00573865
NULL Pointer assignment, xrefs: 0057381E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 05a11a5349121fd97a217e3ac3bd4f67ff09a03da637265aa50097467ddfb223
Instruction ID: 34559812fad19817e97ccffae11e22d64f890a17626576f4ff593f42f6d5c86c
Opcode Fuzzy Hash: 05a11a5349121fd97a217e3ac3bd4f67ff09a03da637265aa50097467ddfb223
Instruction Fuzzy Hash: 97618F71608301AFD310DF54D849B6ABFE4FF88725F108809F98997291D770EE48EB92

Function 00588B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

Part of subcall function 0050912D: GetCursorPos.USER32(?), ref: 00509141
Part of subcall function 0050912D: ScreenToClient.USER32(00000000,?), ref: 0050915E
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000001), ref: 00509183
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000002), ref: 0050919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00588B6B
ImageList_EndDrag.COMCTL32 ref: 00588B71
ReleaseCapture.USER32 ref: 00588B77
SetWindowTextW.USER32(?,00000000), ref: 00588C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00588C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00588CFF

Strings

@GUI_DRAGFILE, xrefs: 00588C9A
p#\, xrefs: 00588C71
@GUI_DROPID, xrefs: 00588C51

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#\
API String ID: 1924731296-509227506
Opcode ID: 06866eaccdf5238adbccdb53857ccfd55f0932b978577ff7a8e166bb064cc11c
Instruction ID: 099e4ddbd3ac63e6fe2c8d05728404717f99073b2f5f175e39f25c9660c825f5
Opcode Fuzzy Hash: 06866eaccdf5238adbccdb53857ccfd55f0932b978577ff7a8e166bb064cc11c
Instruction Fuzzy Hash: BB517A70104204AFD700EF15D85AFBA7BE4FB88754F40062DF9966B2E2DB709D08CB66

Function 00563388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005633CF

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005633F0

Strings

Incorrect parameters to object property !, xrefs: 005634AB
Error: , xrefs: 005634D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00563504
^ ERROR , xrefs: 0056349E
"%s" (%d) : ==> %s:, xrefs: 00563522
Line %d (File "%s"):, xrefs: 00563443, 0056345C

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2b05e2d838219a7fce2ee2bbc383f55477ca7f7e0aa3d607993222c65d512da0
Instruction ID: 9fb4c37eed298fa812c72c154c02b8a8053efeb5dfe0319716366f020cd6d588
Opcode Fuzzy Hash: 2b05e2d838219a7fce2ee2bbc383f55477ca7f7e0aa3d607993222c65d512da0
Instruction Fuzzy Hash: EC51DD7180060AAADF15EBA1CD46EFEBB78BF14745F10406AF90573092EB392F58DB64

Function 0055B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0055B5FC
_wcslen.LIBCMT ref: 0055B608
_wcslen.LIBCMT ref: 0055B64D
_wcslen.LIBCMT ref: 0055B68C
_wcslen.LIBCMT ref: 0055B6C7

Strings

REMOVE, xrefs: 0055B602, 0055B607
KEYS, xrefs: 0055B647, 0055B64C
APPEND, xrefs: 0055B6C1, 0055B6C6
EXISTS, xrefs: 0055B686, 0055B68B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e84d0ea8d70d819371183352bea71dc0c736316cab8177877a0324ec9e01ee84
Instruction ID: ba937458e2c5cfbbc91b41b8ea8d08b40aafd3703e48544d7ae9f199bc812bea
Opcode Fuzzy Hash: e84d0ea8d70d819371183352bea71dc0c736316cab8177877a0324ec9e01ee84
Instruction Fuzzy Hash: 5A41D632A000279ADB105F7DC8A45BE7FA5FFA0795B24422BEC21D7284E735CD85C790

Function 00565393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00565416
GetLastError.KERNEL32 ref: 00565420
SetErrorMode.KERNEL32(00000000,READY), ref: 005654A7

Strings

NOTREADY, xrefs: 0056544B
READY, xrefs: 00565460, 00565468
INVALID, xrefs: 00565459
READONLY, xrefs: 00565452
UNKNOWN, xrefs: 00565444

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ca8dc4ca98fc7dced15ed36968d219e2a1d224faed69b3194b7caf9febd90ec0
Instruction ID: faf0595bdb58ef6fef62e8f84f5dda677431af649ee32a30c620c53db27b9384
Opcode Fuzzy Hash: ca8dc4ca98fc7dced15ed36968d219e2a1d224faed69b3194b7caf9febd90ec0
Instruction Fuzzy Hash: F731B535A405059FCB10DF68C484BAA7FB4FF44306F1484A9E505DB252EF75DD86CB90

Function 00583C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00583C79
SetMenu.USER32(?,00000000), ref: 00583C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00583D10
IsMenu.USER32(?), ref: 00583D24
CreatePopupMenu.USER32 ref: 00583D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00583D5B
DrawMenuBar.USER32 ref: 00583D63

Strings

0, xrefs: 00583C54
F, xrefs: 00583D4E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4bb00fcb1404dd742483245f0b78d0f32b2821df47c6b3da7431d22426489ef9
Instruction ID: 62e4f9aa0be3b3c214dd7ec8a6cdde9788d0bedc0c0db694e4f348a6c7b382a8
Opcode Fuzzy Hash: 4bb00fcb1404dd742483245f0b78d0f32b2821df47c6b3da7431d22426489ef9
Instruction Fuzzy Hash: 7B418875A02209AFDF14DF64E884EAA7FB5FF49340F144029ED46A7360D730AA14DBA4

Function 00551EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00551F64
GetDlgCtrlID.USER32 ref: 00551F6F
GetParent.USER32 ref: 00551F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00551F8E
GetDlgCtrlID.USER32(?), ref: 00551F97
GetParent.USER32(?), ref: 00551FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00551FAE

Strings

ListBox, xrefs: 00551F21
ComboBox, xrefs: 00551EEC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 05a730bc8386cc9e9c74c3276a7e170d7068e665438167759b708241648d24ef
Instruction ID: 20f12065c933f984bc9933906f288f401f6bea5af9e24a8bac8ac9649c22a334
Opcode Fuzzy Hash: 05a730bc8386cc9e9c74c3276a7e170d7068e665438167759b708241648d24ef
Instruction Fuzzy Hash: 2A21AC70900218ABCF04AFA5DC95AFEBFA8BF15350B00011AFD65AB2A1DB39590C9B74

Function 00583A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00583A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00583AA0
GetWindowLongW.USER32(?,000000F0), ref: 00583AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00583AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00583B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00583BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00583BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00583BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00583BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00583C13

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5bb917554b509d280f9e678af95026b7f13d50b7005db11dc995eb79f892fa4b
Instruction ID: ee436d0433da57165a14457d837fb46dceb41c6f51009a4a6ab4735138f8f821
Opcode Fuzzy Hash: 5bb917554b509d280f9e678af95026b7f13d50b7005db11dc995eb79f892fa4b
Instruction Fuzzy Hash: 76615C75900248AFDB10EFA8CC81EEE7BB8FF49700F104199FA15AB292D774AE45DB54

Function 0055B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0055B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B165
GetWindowThreadProcessId.USER32(00000000), ref: 0055B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0055B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B21D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9d44ec63ee9a565eca5262de9d61329fe488dd975158048a67929d665cb057fa
Instruction ID: a5382adca7ba437c52653b1b37c6324fe800e785867d0785d9d509802b7dd2bc
Opcode Fuzzy Hash: 9d44ec63ee9a565eca5262de9d61329fe488dd975158048a67929d665cb057fa
Instruction Fuzzy Hash: EC318C76500A08AFEB109F64EC5CFAD7FA9BB61312F108056FE01E6190E7B49A48DF70

Function 00522C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00522C94

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 00522CA0
_free.LIBCMT ref: 00522CAB
_free.LIBCMT ref: 00522CB6
_free.LIBCMT ref: 00522CC1
_free.LIBCMT ref: 00522CCC
_free.LIBCMT ref: 00522CD7
_free.LIBCMT ref: 00522CE2
_free.LIBCMT ref: 00522CED
_free.LIBCMT ref: 00522CFB

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a5d198dcbc767c780b88cc20dc6b389015d93b1cb79568ffbf604fc41185d4c8
Instruction ID: 010a45b88fce28c24a2e6ab07e861a3b683559a0f24b402d7310d0b2b5a2d983
Opcode Fuzzy Hash: a5d198dcbc767c780b88cc20dc6b389015d93b1cb79568ffbf604fc41185d4c8
Instruction Fuzzy Hash: 9D11967A100119BFCB02EF54E986CDD3FA5FF4A350F8144A5F9485B262D631EE909B90

Function 00567DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00567FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00567FC1
GetFileAttributesW.KERNEL32(?), ref: 00567FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00568005
SetCurrentDirectoryW.KERNEL32(?), ref: 00568017
SetCurrentDirectoryW.KERNEL32(?), ref: 00568060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005680B0

Strings

*.*, xrefs: 00568066

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: c1983cc4da365bdaecf93dceb171c6f965d60fe10aaeb0a80076ac5924a9c762
Instruction ID: 70ddb593e73b1e6d0d401927eaa6d9f3fbe47513b265a1fbf406525dcca287f4
Opcode Fuzzy Hash: c1983cc4da365bdaecf93dceb171c6f965d60fe10aaeb0a80076ac5924a9c762
Instruction Fuzzy Hash: 7E81B1725082099BCB20EF64C4549BABBE8BF88318F144D5EF885D7250EB36DD49CB52

Function 004F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004F5C7A

Part of subcall function 004F5D0A: GetClientRect.USER32(?,?), ref: 004F5D30
Part of subcall function 004F5D0A: GetWindowRect.USER32(?,?), ref: 004F5D71
Part of subcall function 004F5D0A: ScreenToClient.USER32(?,?), ref: 004F5D99

GetDC.USER32 ref: 005346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00534708
SelectObject.GDI32(00000000,00000000), ref: 00534716
SelectObject.GDI32(00000000,00000000), ref: 0053472B
ReleaseDC.USER32(?,00000000), ref: 00534733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005347C4

Strings

U, xrefs: 00534693

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 794c9b0474d704569bbe7093fa6083cc2830563c807033a9e7730d7c15499925
Instruction ID: 8de1d77d7b733ead68d2e19d6e49ac8bd1d17e334fd63fcdfb760a877a12e25d
Opcode Fuzzy Hash: 794c9b0474d704569bbe7093fa6083cc2830563c807033a9e7730d7c15499925
Instruction Fuzzy Hash: 2671F331400609DFCF218F64CD85ABA7FB5FF4A354F14426AEE566A2A6C334AC42DF60

Function 0056359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005635E4

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

LoadStringW.USER32(005C2390,?,00000FFF,?), ref: 0056360A

Strings

Error: , xrefs: 005636EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00563724
^ ERROR, xrefs: 005636C9
"%s" (%d) : ==> %s:, xrefs: 00563742
Line %d (File "%s"):, xrefs: 0056366B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c6c496e2f210f4c3b1ca2af1b084f7e4842069fe9ba004b3469efebedc0ba805
Instruction ID: f6442a95998ad63d9252d9d26f2fb5afda2e1ff4a076e4e6d5696c26a406a1c5
Opcode Fuzzy Hash: c6c496e2f210f4c3b1ca2af1b084f7e4842069fe9ba004b3469efebedc0ba805
Instruction Fuzzy Hash: FB517F7180060AAADF15EBA1CC42EFDBF74FF14745F14412AF60572191DB342B98DB64

Function 0056C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0056C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0056C2CA
GetLastError.KERNEL32 ref: 0056C322
SetEvent.KERNEL32(?), ref: 0056C336
InternetCloseHandle.WININET(00000000), ref: 0056C341

Strings

, xrefs: 0056C2BB

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e7cd2fbdec0e8b9d7057c99520b84a60a7e2243a3ac4c91f1ae6e7c3020fc7dc
Instruction ID: bff40205b03fada04bab52b6e7e18ab1b1714d34847ff1b37f3178b2a88d4de8
Opcode Fuzzy Hash: e7cd2fbdec0e8b9d7057c99520b84a60a7e2243a3ac4c91f1ae6e7c3020fc7dc
Instruction Fuzzy Hash: 01315AB1600208AFD7219F649888ABB7FFCFB59744B10891EA886E7200DB34DD089B70

Function 0055989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00533AAF,?,?,Bad directive syntax error,0058CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005598BC
LoadStringW.USER32(00000000,?,00533AAF,?), ref: 005598C3

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00559987

Strings

Error: , xrefs: 00559955
., xrefs: 0055996D
Line %d (File "%s"):, xrefs: 0055992D
Line %d:, xrefs: 00559912
%s (%d) : ==> %s.: %s %s, xrefs: 005598F1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 62b0f6c93f4fdfe42e5a6356cf39e3e9037c2183f9a8a7cbeb74798fcdd81243
Instruction ID: 41bbf9dfed33519cefdcacd38c688dacb20afd2cee4dc08439dd092e1d2677e0
Opcode Fuzzy Hash: 62b0f6c93f4fdfe42e5a6356cf39e3e9037c2183f9a8a7cbeb74798fcdd81243
Instruction Fuzzy Hash: AB216F3180021EEBCF11EF90CC5AEED7B75BF14745F04442AFA15620A1EB79AA18DB20

Function 0055209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0055214D

Strings

details, xrefs: 005520FB
smallicons, xrefs: 00552115
SHELLDLL_DefView, xrefs: 005520CC
largeicons, xrefs: 005520E1
list, xrefs: 0055212F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 268daed558611a6677929222a16830826c4505ecf7c227ca570ed2215b7167d6
Instruction ID: ef5e9e5b67385a3f84463f5c2f63c8c112848645625a3a8a7e13c863cf4651fb
Opcode Fuzzy Hash: 268daed558611a6677929222a16830826c4505ecf7c227ca570ed2215b7167d6
Instruction Fuzzy Hash: 9A112776288B07BAF60562209C1BDE73F9CFF16325F201027FF05A40D1FE6168899B14

Function 0052CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0052CEB7
_free.LIBCMT ref: 0052CF22
_free.LIBCMT ref: 0052CF48
_free.LIBCMT ref: 0052CF71
_free.LIBCMT ref: 0052CFA9
_free.LIBCMT ref: 0052CFDA
_free.LIBCMT ref: 0052D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0052D09C
_free.LIBCMT ref: 0052D0B5

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 3ee2bbf9a477e2bd04c2c78d903fa0a60918f833e73d9b6c714d71365b70f443
Instruction ID: ef2b78d90c108d5a5594bcd345e99851ec0ea1192bd88f5eaabf87ffc3717944
Opcode Fuzzy Hash: 3ee2bbf9a477e2bd04c2c78d903fa0a60918f833e73d9b6c714d71365b70f443
Instruction Fuzzy Hash: 45614772904721AFDB21AFB4BD89A6E7FA5BF47310F04026DF905A72C2E6319D41D7A0

Function 005850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00585186
ShowWindow.USER32(?,00000000), ref: 005851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005851D1

Part of subcall function 00586FBA: DeleteObject.GDI32(00000000), ref: 00586FE6

GetWindowLongW.USER32(?,000000F0), ref: 0058520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0058521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0058524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00585287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00585296

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 809cded524d96f7571e70b2f0fe09d90f4ba29c65eba0127d264ac7dc933cda4
Instruction ID: 7298ee47408b1a327f57c2ecd3d812354bdef7df465ff79c3813233fb1bf281b
Opcode Fuzzy Hash: 809cded524d96f7571e70b2f0fe09d90f4ba29c65eba0127d264ac7dc933cda4
Instruction Fuzzy Hash: A751AF34A50A09BEEF20AF24CC4EBD83F65FB45321F144011FE56BA2E1EB75A994DB50

Function 00508B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00546890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00508874,00000000,00000000,00000000,000000FF,00000000), ref: 00546901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0054691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00508874,00000000,00000000,00000000,000000FF,00000000), ref: 0054692D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 227066bec85f9e881dd3d2a2d809f1d8e595cc07bce9e0e56caf1c3acc3bce7f
Instruction ID: 0cb28a0220c7d562f6baf7bca491ac6675ad50d3bfaba57b5aeca74f10f1c14a
Opcode Fuzzy Hash: 227066bec85f9e881dd3d2a2d809f1d8e595cc07bce9e0e56caf1c3acc3bce7f
Instruction Fuzzy Hash: 42518770600609EFDB20CF24CC55FAA7FB5FB99764F104528F992A62E0DB70E990EB50

Function 0056C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0056C182
GetLastError.KERNEL32 ref: 0056C195
SetEvent.KERNEL32(?), ref: 0056C1A9

Part of subcall function 0056C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056C272
Part of subcall function 0056C253: GetLastError.KERNEL32 ref: 0056C322
Part of subcall function 0056C253: SetEvent.KERNEL32(?), ref: 0056C336
Part of subcall function 0056C253: InternetCloseHandle.WININET(00000000), ref: 0056C341

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: bca2bac99e688890a4b46e0a22758e2e8d4f809e4e833b113fe9bed6fe2f82e7
Instruction ID: 6176fecebb203fde120e7bf84beac70b6a582114d844a33746496ab264484260
Opcode Fuzzy Hash: bca2bac99e688890a4b46e0a22758e2e8d4f809e4e833b113fe9bed6fe2f82e7
Instruction Fuzzy Hash: 22316B75200605AFDB219FA5DC58A76BFE9FF68300B00851DFDDA93610DB31E818EBA0

Function 005525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00553A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553A57
Part of subcall function 00553A3D: GetCurrentThreadId.KERNEL32 ref: 00553A5E
Part of subcall function 00553A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005525B3), ref: 00553A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00552601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00552605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0055260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00552623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00552627

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6fdbe08c0d28201c6de4ae59e9534c6b2662bfb39593baca3e14efc0b1d4b53a
Instruction ID: 538b519c8dc0bd0dc184490f212e1e3e3a7641293b075a0affc53f4ae2981d44
Opcode Fuzzy Hash: 6fdbe08c0d28201c6de4ae59e9534c6b2662bfb39593baca3e14efc0b1d4b53a
Instruction Fuzzy Hash: BA01B131290210BBFB106769DC9EF593F59EB9AB52F101012FB18AE0D5C9F22448DB79

Function 00551803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00551449,?,?,00000000), ref: 0055180C
HeapAlloc.KERNEL32(00000000,?,00551449,?,?,00000000), ref: 00551813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00551449,?,?,00000000), ref: 00551828
GetCurrentProcess.KERNEL32(?,00000000,?,00551449,?,?,00000000), ref: 00551830
DuplicateHandle.KERNEL32(00000000,?,00551449,?,?,00000000), ref: 00551833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00551449,?,?,00000000), ref: 00551843
GetCurrentProcess.KERNEL32(00551449,00000000,?,00551449,?,?,00000000), ref: 0055184B
DuplicateHandle.KERNEL32(00000000,?,00551449,?,?,00000000), ref: 0055184E
CreateThread.KERNEL32(00000000,00000000,00551874,00000000,00000000,00000000), ref: 00551868

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c313e10c575205d6b2a9e9d469979a89eae6b49a0311402c85dce0402b62db20
Instruction ID: 2ab21b36c8093d5196edc55d6b01a72bd1e70fbe59d3a3e51eb644a8a1fc209c
Opcode Fuzzy Hash: c313e10c575205d6b2a9e9d469979a89eae6b49a0311402c85dce0402b62db20
Instruction Fuzzy Hash: F801A8B5240308BFE610ABA5DC8DF6B3FACEB99B11F005411FA05EB2A1DA719804DB30

Function 0057A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0055D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0055D501
Part of subcall function 0055D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0055D50F
Part of subcall function 0055D4DC: CloseHandle.KERNELBASE(00000000), ref: 0055D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0057A16D
GetLastError.KERNEL32 ref: 0057A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0057A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0057A268
GetLastError.KERNEL32(00000000), ref: 0057A273
CloseHandle.KERNEL32(00000000), ref: 0057A2C4

Strings

SeDebugPrivilege, xrefs: 0057A18F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d70280232c5ab24bdf01e82608d0567f77c1c4745ff9daa9778c6586b6f0afc2
Instruction ID: e3ac0d7f84090d0f27413adde95e6bc7ece611d955481d386ed379ed528282ca
Opcode Fuzzy Hash: d70280232c5ab24bdf01e82608d0567f77c1c4745ff9daa9778c6586b6f0afc2
Instruction Fuzzy Hash: 34618C35204242AFD710DF19D494F29BFA1BF94318F54C48CE86A8B6A3C776EC49DB92

Function 00583886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00583925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0058393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00583954
_wcslen.LIBCMT ref: 00583999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005839F4

Strings

SysListView32, xrefs: 005838F7

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 72bc5ea1137186df1b9b8de0cbfed1d23afc5f3ee038f49629924016027da893
Instruction ID: df26690ccc0f10287d89e8d374f12374df7a0fba01ee95c3d21a2348ad2253ff
Opcode Fuzzy Hash: 72bc5ea1137186df1b9b8de0cbfed1d23afc5f3ee038f49629924016027da893
Instruction Fuzzy Hash: 6841A171A00219ABEB21AF64CC49FEA7FA9FF48750F100526F958F7281D7719A84CB94

Function 0055BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0055BCFD
IsMenu.USER32(00000000), ref: 0055BD1D
CreatePopupMenu.USER32 ref: 0055BD53
GetMenuItemCount.USER32(011964A0), ref: 0055BDA4
InsertMenuItemW.USER32(011964A0,?,00000001,00000030), ref: 0055BDCC

Strings

0, xrefs: 0055BCA8
2, xrefs: 0055BD37

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f0cf7964c9b63ca6dc91a24ae8ff81054a04db577de6613c06dfed0ad383b481
Instruction ID: bacd08cd6d5e4f4e4e8a44f4c9f57c471bdb2eeac0aaaf21b9dc8654432a4860
Opcode Fuzzy Hash: f0cf7964c9b63ca6dc91a24ae8ff81054a04db577de6613c06dfed0ad383b481
Instruction Fuzzy Hash: 6451AF70A002099BEF10CFA8D8ACBAEBFF4BF95316F14451AEC51E7290D7719948CB61

Function 00512D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00512D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00512D53
_ValidateLocalCookies.LIBCMT ref: 00512DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00512E0C
_ValidateLocalCookies.LIBCMT ref: 00512E61

Strings

&HQ, xrefs: 00512DFE, 00512E07, 00512E18
csm, xrefs: 00512DF6

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HQ$csm
API String ID: 1170836740-3952113351
Opcode ID: 12679fea1ebb813971813df84cc972156423dac9fa7e9a5a8eaa85fd2b40592c
Instruction ID: 0035aaa44fef48e89856006cc17398d7247a423b762a0035dc16955f89d5b125
Opcode Fuzzy Hash: 12679fea1ebb813971813df84cc972156423dac9fa7e9a5a8eaa85fd2b40592c
Instruction Fuzzy Hash: E841C634A00209AFDF10DF68D859ADEBFB5BF44324F148155E8146B392D731AEA6CBD0

Function 0055C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0055C913

Strings

stop, xrefs: 0055C8E4
info, xrefs: 0055C8B4
blank, xrefs: 0055C895
question, xrefs: 0055C8CC
warning, xrefs: 0055C8FC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5b0042f266f082b3388b2a862c047e6fd846f25c00bd05947b5bdcc779496583
Instruction ID: d68e84e1c5f0fbf48ed38829401603b9d0d3d6dae01cbd775e7a6264d7806301
Opcode Fuzzy Hash: 5b0042f266f082b3388b2a862c047e6fd846f25c00bd05947b5bdcc779496583
Instruction Fuzzy Hash: 42113D32689307BFE7005B149C93CEA6FACFF15716B20002BFD00A62C2DB747D845664

Function 0055DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0055DE42
gethostname.WSOCK32(?,00000100), ref: 0055DE5C
gethostbyname.WSOCK32(?), ref: 0055DE69
inet_ntoa.WSOCK32(?), ref: 0055DEAB
_strcat.LIBCMT ref: 0055DEB9
WSACleanup.WSOCK32 ref: 0055DEDE

Strings

0.0.0.0, xrefs: 0055DE87

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 586527306dbad89120f4a4340ff54a3bcdf7ed6ca706bc34567554d9fcf28df4
Instruction ID: 7c28a31f412502d1025c32b7b25a1374585f204598dcd66911eb6d12f7dbdd46
Opcode Fuzzy Hash: 586527306dbad89120f4a4340ff54a3bcdf7ed6ca706bc34567554d9fcf28df4
Instruction Fuzzy Hash: 7111E73250411AABDB30AB209C0BEEE7FBCFB51712F00016AF905E6091EF748A859B70

Function 0055ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0055ED2A
_wcslen.LIBCMT ref: 0055ED3B
_wcslen.LIBCMT ref: 0055ED79
_wcslen.LIBCMT ref: 0055EDAF
_wcslen.LIBCMT ref: 0055EDDF
_wcslen.LIBCMT ref: 0055EDEF
_wcslen.LIBCMT ref: 0055EE2B
_wcslen.LIBCMT ref: 0055EE5A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 64ebdbda4f15e207ace82a1665ecfdd446f2f7ef6129edb4ddc3bdf4f719ab95
Instruction ID: 2208ee58973c4c6f796c416478514749fbeb27ba00a4d5308826ebc515507af0
Opcode Fuzzy Hash: 64ebdbda4f15e207ace82a1665ecfdd446f2f7ef6129edb4ddc3bdf4f719ab95
Instruction Fuzzy Hash: 35418069C1021965DB11EBB4888F9CFBBBCBF85710F508466E924E3122EB34E395C7A5

Function 0050F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0050F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0054F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0054F454

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7c1877df8d7f36fe7566497a6c2a46137c8028821fcedd535a49f3e9b2268bb1
Instruction ID: b04a459d046cad3db4961ca95c272064ca1c1fb0585987bd5d76ff0d58c2d3b3
Opcode Fuzzy Hash: 7c1877df8d7f36fe7566497a6c2a46137c8028821fcedd535a49f3e9b2268bb1
Instruction Fuzzy Hash: 6D412A31608680BEDB398F2DD88CB6E7F91BB96314F144C3DE48762DE1D631A885DB11

Function 00582D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00582D1B
GetDC.USER32(00000000), ref: 00582D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00582D2E
ReleaseDC.USER32(00000000,00000000), ref: 00582D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00582D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00582D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00585A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00582DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00582DE1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 21dd32bbd6f195b68a8652706f317063bd93affac5d98cb34cac2684038bbba7
Instruction ID: 3d97e1aced6e0bc754b0bb03aae7b2adc2025ad77fb8aba002ababea8b388dbb
Opcode Fuzzy Hash: 21dd32bbd6f195b68a8652706f317063bd93affac5d98cb34cac2684038bbba7
Instruction Fuzzy Hash: 1B318B76201214BBEB119F548C8AFEB3FA9FF19751F044065FE08AE291D6759C45CBB0

Function 00555622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00555637
_memcmp.LIBVCRUNTIME ref: 00555659
_memcmp.LIBVCRUNTIME ref: 00555671
_memcmp.LIBVCRUNTIME ref: 00555684
_memcmp.LIBVCRUNTIME ref: 0055569E
_memcmp.LIBVCRUNTIME ref: 005556B1
_memcmp.LIBVCRUNTIME ref: 005556C9
_memcmp.LIBVCRUNTIME ref: 005556E4

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9f48df24cea49bc33c6931360d103ff547a2107fcb87fcb5ece7237835458c09
Instruction ID: 7bdde14fac3e6049a9f3f9d31768ef6a5724d478ba11c68d0d5e4286ab1842ba
Opcode Fuzzy Hash: 9f48df24cea49bc33c6931360d103ff547a2107fcb87fcb5ece7237835458c09
Instruction Fuzzy Hash: FF212C61744D0EB7E21465118DB2FFA3F5CBF54386F540422FE066A541F720EE1883A9

Function 00574FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0057502E, 00575383
Not an Object type, xrefs: 00575007

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5cc6f94a26b7483e952855286b5da403d1641f6feb65c5d2596b2c14b2e496a7
Instruction ID: f6c7f8505cc8f5d4dc8489fb9a07ab750ef98cec77471f24a39c528c912152c8
Opcode Fuzzy Hash: 5cc6f94a26b7483e952855286b5da403d1641f6feb65c5d2596b2c14b2e496a7
Instruction Fuzzy Hash: 5AD1E371A0060A9FDF10CFA8D884BAEBBB5FF48304F14C469E919AB291E7B0DD45DB50

Function 00531522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 005315CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00531651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005316E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005316FB

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00531777
__freea.LIBCMT ref: 005317A2
__freea.LIBCMT ref: 005317AE

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 06b79fddda4df28191284e037d1dd75029be1db08b7f53dff9b5e10727643871
Instruction ID: d8996ac19affbdbef217f4a5b1f9c4ebadf0e5c13710174426dd0768a56cf55b
Opcode Fuzzy Hash: 06b79fddda4df28191284e037d1dd75029be1db08b7f53dff9b5e10727643871
Instruction Fuzzy Hash: DC91A271E00A169ADF218FB4C985AEE7FB5FF89310F184659E802E7281DB35DC44CB68

Function 00574523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00574648
VariantInit.OLEAUT32(?), ref: 00574749
VariantClear.OLEAUT32(?), ref: 00574753
VariantClear.OLEAUT32(?), ref: 005747B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 005745D8, 00574706, 005747BE
Incorrect Object type in FOR..IN loop, xrefs: 0057472C

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 8dd6e018912e10831eedffda40453608f18704b068fd1d65bd39277ab33c4b27
Instruction ID: 409a887adc2d1eb63a3a8315f633190dd9d072b6dc7136a4da63350d9f4bf8e3
Opcode Fuzzy Hash: 8dd6e018912e10831eedffda40453608f18704b068fd1d65bd39277ab33c4b27
Instruction Fuzzy Hash: 4A919171A00219ABDF24CFA4D888FAEBFB8FF85710F108559F509AB280D7709941DFA0

Function 00561187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0056125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00561284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0056135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00561430

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 0590352521fae45622ff05af5320aa9ec5c9ae33dfdce37ee855cf9087ed2344
Instruction ID: 16b57d0e7682ba628b1a1ae7d5f2816bfd91d61d37951d0db6d03c9f2144e6c7
Opcode Fuzzy Hash: 0590352521fae45622ff05af5320aa9ec5c9ae33dfdce37ee855cf9087ed2344
Instruction Fuzzy Hash: 54912675A006099FDB00DFA5C885BBEBBB5FF84315F184429E901EB291DB74ED41CB98

Function 0050948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 18c05bb4bc090199f817d065fd96529155fd4184d815e3637037513a7f043667
Instruction ID: 57616fe2505f8aa4fd535fcab68922c3b4ca74b61a25691c200d3878dd37f7a7
Opcode Fuzzy Hash: 18c05bb4bc090199f817d065fd96529155fd4184d815e3637037513a7f043667
Instruction Fuzzy Hash: 78912771900219EFCB10CFA9CC88AEEBFB8FF49324F148555E915B7296D374A941CB60

Function 00573947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0057396B
CharUpperBuffW.USER32(?,?), ref: 00573A7A
_wcslen.LIBCMT ref: 00573A8A
VariantClear.OLEAUT32(?), ref: 00573C1F

Part of subcall function 00560CDF: VariantInit.OLEAUT32(00000000), ref: 00560D1F
Part of subcall function 00560CDF: VariantCopy.OLEAUT32(?,?), ref: 00560D28
Part of subcall function 00560CDF: VariantClear.OLEAUT32(?), ref: 00560D34

Strings

Incorrect Parameter format, xrefs: 005739A6, 00573BA1
AUTOIT.ERROR, xrefs: 00573A80, 00573A85

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b5209949bd2cb672fdc1b8a332f2e6d6719e05628a3116f73bb1dff3274d99b4
Instruction ID: a5fa21a821770273385c04aeeecb56ffc73cd42aa1f5945f52ed41b43e3259e2
Opcode Fuzzy Hash: b5209949bd2cb672fdc1b8a332f2e6d6719e05628a3116f73bb1dff3274d99b4
Instruction Fuzzy Hash: 0F9168756083059FC704EF24D48596ABBE4FF88324F14886EF8899B351DB30EE45EB92

Function 00574BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0055000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?,?,0055035E), ref: 0055002B
Part of subcall function 0055000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550046
Part of subcall function 0055000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550054
Part of subcall function 0055000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?), ref: 00550064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00574C51
_wcslen.LIBCMT ref: 00574D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00574DCF
CoTaskMemFree.OLE32(?), ref: 00574DDA

Strings

NULL Pointer assignment, xrefs: 00574E23, 00574E52

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 238ead6cbfec1b4e84639642c84cf4d7ad676df7b674385ec4c427c5c43ddee4
Instruction ID: cd9e3f37c6bac56d21f549be7d86cba5542d4e2fb18370a860abf0b5573d1710
Opcode Fuzzy Hash: 238ead6cbfec1b4e84639642c84cf4d7ad676df7b674385ec4c427c5c43ddee4
Instruction Fuzzy Hash: 38913871D0021D9FDF10DFA4D891AEEBBB8BF08314F10856AE919A7281DB349E44DF60

Function 005820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00582183
GetMenuItemCount.USER32(00000000), ref: 005821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005821DD
_wcslen.LIBCMT ref: 00582213
GetMenuItemID.USER32(?,?), ref: 0058224D
GetSubMenu.USER32(?,?), ref: 0058225B

Part of subcall function 00553A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553A57
Part of subcall function 00553A3D: GetCurrentThreadId.KERNEL32 ref: 00553A5E
Part of subcall function 00553A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005525B3), ref: 00553A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005822E3

Part of subcall function 0055E97B: Sleep.KERNEL32 ref: 0055E9F3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: fbd87aded707dcd7d354d6f8f29738dbffc271c743ec7a73232941f12f0fc1c2
Instruction ID: f745c9378fa764344d7a8fe5ce7c9d1384b1d358e3844601da03f0d5462cf804
Opcode Fuzzy Hash: fbd87aded707dcd7d354d6f8f29738dbffc271c743ec7a73232941f12f0fc1c2
Instruction Fuzzy Hash: 2F714C75A00205AFCB14EF65C885AAEBFF5BF88314F148469E916FB351DB34A941CBA0

Function 00587E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01196310), ref: 00587F37
IsWindowEnabled.USER32(01196310), ref: 00587F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0058801E
SendMessageW.USER32(01196310,000000B0,?,?), ref: 00588051
IsDlgButtonChecked.USER32(?,?), ref: 00588089
GetWindowLongW.USER32(01196310,000000EC), ref: 005880AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005880C3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 64d5e50fc1aade5f189694422511f8fef9f01d17a22782013b8a5e82a53693e6
Instruction ID: e66c136cffdfe694efa65b8d3a7b72e021e987df8ac2af70900c93fe3641590e
Opcode Fuzzy Hash: 64d5e50fc1aade5f189694422511f8fef9f01d17a22782013b8a5e82a53693e6
Instruction Fuzzy Hash: B7719E34608248AFEB21AF65C888FBA7FB5FF19300F244459EE55A7261CB31E845DB20

Function 0055AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0055AEF9
GetKeyboardState.USER32(?), ref: 0055AF0E
SetKeyboardState.USER32(?), ref: 0055AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0055AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0055AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0055AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0055B020

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 44ce816090e194e86be5f31bb4cff7ddd7892013432d6a2532015cefa193e4a4
Instruction ID: 2f79d17ec346a98eafacd813a555e189f0e16a3f46c9cf48e60ac0838278f7a0
Opcode Fuzzy Hash: 44ce816090e194e86be5f31bb4cff7ddd7892013432d6a2532015cefa193e4a4
Instruction Fuzzy Hash: 085104A06043D13DFB3242348C69BBABEA96F06305F08858AE9D9554D3D398ACCCD361

Function 0055ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0055AD19
GetKeyboardState.USER32(?), ref: 0055AD2E
SetKeyboardState.USER32(?), ref: 0055AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0055ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0055ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0055AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0055AE38

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d64a938074b66d71ba86335b86d989875427caf28455e7bbe55e103e5a1fa8d2
Instruction ID: e243678e07a9c34d18f8413dfddd69b37db9465e8ec1bacfeaf0f32f5c91c2c5
Opcode Fuzzy Hash: d64a938074b66d71ba86335b86d989875427caf28455e7bbe55e103e5a1fa8d2
Instruction Fuzzy Hash: D15108A15047D53DFB3393348C66B7ABEA87B45302F08868AE9D5568C2D394EC8CD762

Function 0052542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00533CD6,?,?,?,?,?,?,?,?,00525BA3,?,?,00533CD6,?,?), ref: 00525470
__fassign.LIBCMT ref: 005254EB
__fassign.LIBCMT ref: 00525506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00533CD6,00000005,00000000,00000000), ref: 0052552C
WriteFile.KERNEL32(?,00533CD6,00000000,00525BA3,00000000,?,?,?,?,?,?,?,?,?,00525BA3,?), ref: 0052554B
WriteFile.KERNEL32(?,?,00000001,00525BA3,00000000,?,?,?,?,?,?,?,?,?,00525BA3,?), ref: 00525584

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ab8f9c63cb740525c0e727126bc9d47ca444b41ad563a5281b79dfaaf0990ea6
Instruction ID: c4a0c4033cf1dd82cad9841fd81741100a9ed1a911799fd9e7fbcbc6be865c7c
Opcode Fuzzy Hash: ab8f9c63cb740525c0e727126bc9d47ca444b41ad563a5281b79dfaaf0990ea6
Instruction Fuzzy Hash: FE51B171A006199FDB10CFA8E885AEEBFF9FF1A301F14451AF955E72D1E6309A41CB60

Function 005710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0057304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0057307A
Part of subcall function 0057304E: _wcslen.LIBCMT ref: 0057309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00571112
WSAGetLastError.WSOCK32 ref: 00571121
WSAGetLastError.WSOCK32 ref: 005711C9
closesocket.WSOCK32(00000000), ref: 005711F9

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6cd4e1b775ffed42966668538635dad0cb5bfe31128e12a3fdab2eda9a9d5f6a
Instruction ID: e9b0c1fb97e81a9590989159dd5157cb62bbf86167a8fbf757add90597752f32
Opcode Fuzzy Hash: 6cd4e1b775ffed42966668538635dad0cb5bfe31128e12a3fdab2eda9a9d5f6a
Instruction Fuzzy Hash: 30410331600608AFDB109F28D884BA9BFE9FF45328F54C059FD0AAF291C774AD45DBA5

Function 0055CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0055CF22,?), ref: 0055DDFD

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0055CF22,?), ref: 0055DE16

lstrcmpiW.KERNEL32(?,?), ref: 0055CF45
MoveFileW.KERNEL32(?,?), ref: 0055CF7F
_wcslen.LIBCMT ref: 0055D005
_wcslen.LIBCMT ref: 0055D01B
SHFileOperationW.SHELL32(?), ref: 0055D061

Strings

\*.*, xrefs: 0055CFF3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 18843b0866532f8e2c0ee0e902c0542e9b00b9b77081304c47c43a10c210e064
Instruction ID: 799d8d923e72dd5e914bf7ff03680f90a3e7499909945f3354edc6e0a583ab7a
Opcode Fuzzy Hash: 18843b0866532f8e2c0ee0e902c0542e9b00b9b77081304c47c43a10c210e064
Instruction Fuzzy Hash: BA4144719052195FDF12EBA4D995ADDBFB8BF48381F0000E7E905EB141EA34A788CB50

Function 00582DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00582E1C
GetWindowLongW.USER32(?,000000F0), ref: 00582E4F
GetWindowLongW.USER32(?,000000F0), ref: 00582E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00582EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00582EE0
GetWindowLongW.USER32(?,000000F0), ref: 00582EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00582F0B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8f4c55b56e5e3c009d78baece423fe69addf12410e43a8c21c7597f32f1964bc
Instruction ID: 1883cbe420c706ec1a571a4735707ef00f147405ea494dd17a19b3a282ebec61
Opcode Fuzzy Hash: 8f4c55b56e5e3c009d78baece423fe69addf12410e43a8c21c7597f32f1964bc
Instruction Fuzzy Hash: F3312430604640AFDB21EF19DC84F653FE8FBAA710F141165F900AF2B2CB71A848EB18

Function 00557726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00557769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0055778F
SysAllocString.OLEAUT32(00000000), ref: 00557792
SysAllocString.OLEAUT32(?), ref: 005577B0
SysFreeString.OLEAUT32(?), ref: 005577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005577DE
SysAllocString.OLEAUT32(?), ref: 005577EC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ac06efa759ca8386264c56bfa9b7e534e94e1e1c467630333cbbe1413c00728d
Instruction ID: b42665c6a2a3c05dc8c67a88e247d895d5440c25b10c0c2410fbb58cd674cdd6
Opcode Fuzzy Hash: ac06efa759ca8386264c56bfa9b7e534e94e1e1c467630333cbbe1413c00728d
Instruction Fuzzy Hash: 92219F76614219AFDF10DFA8EC88CBA7BACFB0D3657048426BD14DB1A0D6709C498760

Function 005577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00557842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00557868
SysAllocString.OLEAUT32(00000000), ref: 0055786B
SysAllocString.OLEAUT32 ref: 0055788C
SysFreeString.OLEAUT32 ref: 00557895
StringFromGUID2.OLE32(?,?,00000028), ref: 005578AF
SysAllocString.OLEAUT32(?), ref: 005578BD

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1c2de8ab1887f177526fc8fe3a694d4e7695493f290a6b31f088929a636db75a
Instruction ID: 76d1660f988e9d83e28bcd7cbd61ee7558e0a86d6ae15cfc7313cb0c1dc93225
Opcode Fuzzy Hash: 1c2de8ab1887f177526fc8fe3a694d4e7695493f290a6b31f088929a636db75a
Instruction Fuzzy Hash: 09218131604118AFDF109BA8EC9CDAA7BACFB0C3617108126BD15DB2A1D670DC49CB74

Function 005604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0056052E

Strings

nul, xrefs: 00560567

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 68169ce65331f6e4791e3a3e73e2e9c7fbfbc9aca7dfb1ebe9a8600d23259afd
Instruction ID: 2dd1017d706fab86ad719139c997ad94116bafbecf45225f329b64205c54d1d4
Opcode Fuzzy Hash: 68169ce65331f6e4791e3a3e73e2e9c7fbfbc9aca7dfb1ebe9a8600d23259afd
Instruction Fuzzy Hash: BE215C75600305ABDF209F29DC44AAB7FA4BF64724F205A19F8A2E72E0E7709944DF20

Function 005605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00560601

Strings

nul, xrefs: 00560639

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7d699386046f7657db1b2be9c6dadf69f37da132bc853f74976858236fe0ad80
Instruction ID: 31b906b6bb4d403c0beff12745400c19514f80461cacb76a8a7304744f051543
Opcode Fuzzy Hash: 7d699386046f7657db1b2be9c6dadf69f37da132bc853f74976858236fe0ad80
Instruction Fuzzy Hash: 7F2151755003059BDB209F69DC44AAB7FE4BF95720F201A19FCA1E72E0D7B09961DB20

Function 005840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F604C
Part of subcall function 004F600E: GetStockObject.GDI32(00000011), ref: 004F6060
Part of subcall function 004F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00584112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0058411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0058412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00584139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00584145

Strings

Msctls_Progress32, xrefs: 005840E3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f02a544d83e7568ae914d654fe450e13d13d9ea952d7daf483c5e46d4a6bcf5c
Instruction ID: 37c167e4c2c78ac3e6aa5d1e98b997d236c7441cfda94794a3910821aa614617
Opcode Fuzzy Hash: f02a544d83e7568ae914d654fe450e13d13d9ea952d7daf483c5e46d4a6bcf5c
Instruction Fuzzy Hash: 671190B215021EBEEF119F64CC85EE77F5DFF18798F014111BA18A6090CA769C21DBA4

Function 0052D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0052D7A3: _free.LIBCMT ref: 0052D7CC

_free.LIBCMT ref: 0052D82D

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052D838
_free.LIBCMT ref: 0052D843
_free.LIBCMT ref: 0052D897
_free.LIBCMT ref: 0052D8A2
_free.LIBCMT ref: 0052D8AD
_free.LIBCMT ref: 0052D8B8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 3dbe6212fc4485eb7f410a970959c79be8919209bf0380ab29a7a80fe44a6126
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B3113072540725BAD521BFB0EC4BFCB7FECBF86700F440815B29DA60D2D66DB5854660

Function 0055DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0055DA74
LoadStringW.USER32(00000000), ref: 0055DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0055DA91
LoadStringW.USER32(00000000), ref: 0055DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0055DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0055DAB9

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ee44e8acaf1f155411912a177c20a2926538283d0b8e2ad17ce737a0c472a15d
Instruction ID: d2c2601c55b35c1a7ffa06019a5ec8632870077869c77148b81507dfd9d88921
Opcode Fuzzy Hash: ee44e8acaf1f155411912a177c20a2926538283d0b8e2ad17ce737a0c472a15d
Instruction Fuzzy Hash: EC0162F25002087FEB10ABA4DD89EEB3A6CF708301F4014A6BB06F2041E6749E888F74

Function 0056096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0118F5C0,0118F5C0), ref: 0056097B
EnterCriticalSection.KERNEL32(0118F5A0,00000000), ref: 0056098D
TerminateThread.KERNEL32(?,000001F6), ref: 0056099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005609A9
CloseHandle.KERNEL32(?), ref: 005609B8
InterlockedExchange.KERNEL32(0118F5C0,000001F6), ref: 005609C8
LeaveCriticalSection.KERNEL32(0118F5A0), ref: 005609CF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8b343081d708f913b3d32a4e90cc828299d2a29f2252de6dea2a38be5577746f
Instruction ID: f4cbda73cab2cd8ffb0c1e5224cbe517bbe089c12e0b3fc7f8209d92167989da
Opcode Fuzzy Hash: 8b343081d708f913b3d32a4e90cc828299d2a29f2252de6dea2a38be5577746f
Instruction Fuzzy Hash: A9F01D31442902ABD7415B94EE8CAD67F25BF11712F403015F502618E0C7749469DFA0

Function 00571C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00571DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00571DE1
WSAGetLastError.WSOCK32 ref: 00571DF2
htons.WSOCK32(?,?,?,?,?), ref: 00571EDB
inet_ntoa.WSOCK32(?), ref: 00571E8C

Part of subcall function 005539E8: _strlen.LIBCMT ref: 005539F2

Part of subcall function 00573224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0056EC0C), ref: 00573240

_strlen.LIBCMT ref: 00571F35

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 42360a93a586e52545debda95a0b9588e762f273698c3f976c7dca1a10438844
Instruction ID: 3e718931263d1c0f4564ad6088b25149faa8b3e8f6cf58e65b691467263f5b84
Opcode Fuzzy Hash: 42360a93a586e52545debda95a0b9588e762f273698c3f976c7dca1a10438844
Instruction Fuzzy Hash: A5B1E070204700AFC324EF29D895E3A7BA9BF84318F54894CF55A5B2E2CB31ED45CBA5

Function 004F5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004F5D30
GetWindowRect.USER32(?,?), ref: 004F5D71
ScreenToClient.USER32(?,?), ref: 004F5D99
GetClientRect.USER32(?,?), ref: 004F5ED7
GetWindowRect.USER32(?,?), ref: 004F5EF8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 2bce184be1cdc413a74e59ad3a29a0e852771696e44d70120330b1b001559ee8
Instruction ID: 7a0b3212865949888d6bf82260880491a08827c2598140a9f7ac562750a522fa
Opcode Fuzzy Hash: 2bce184be1cdc413a74e59ad3a29a0e852771696e44d70120330b1b001559ee8
Instruction Fuzzy Hash: 73B17935A00A4ADBDB10CFA9C4807FEBBF1FF58310F14941AEAA9D7250DB34AA51DB54

Function 005201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005200D6
__allrem.LIBCMT ref: 005200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0052010B
__allrem.LIBCMT ref: 00520122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00520140

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: fdcb23850a64eaa0212bbbec82f343c887ce09a75742cbe89d9d3ef85037e231
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 72812776A01B269BF7209F38DC45BAB7BE9BF82320F24453AF511D62C2E7B0D9418750

Function 005261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005182D9,005182D9,?,?,?,0052644F,00000001,00000001,8BE85006), ref: 00526258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0052644F,00000001,00000001,8BE85006,?,?,?), ref: 005262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005263D8
__freea.LIBCMT ref: 005263E5

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

__freea.LIBCMT ref: 005263EE
__freea.LIBCMT ref: 00526413

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ac409ea5a3b13ea1375297f0de49ace24e43ff4d38ef74baaded3a1151e66508
Instruction ID: 737eadab35e5d1fc694a60baf68060e9b1535a0fa29bcf37efac769809aca680
Opcode Fuzzy Hash: ac409ea5a3b13ea1375297f0de49ace24e43ff4d38ef74baaded3a1151e66508
Instruction Fuzzy Hash: 9251CE72600226ABEB258E64EC85EAF7FA9FF96710F154A29FC05D71C0DB34DC44C6A0

Function 0057BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057BD25
RegCloseKey.ADVAPI32(00000000), ref: 0057BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0057BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0057BDF3
RegCloseKey.ADVAPI32(?), ref: 0057BDFF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: cd5826ea24a762c357e6efb99969ac08c2c1601817855b5d4c1bef85f9c921d2
Instruction ID: 15e37082e9d0915acecd01726a15784ddc766152c88cfb5cbf34eebbfec57708
Opcode Fuzzy Hash: cd5826ea24a762c357e6efb99969ac08c2c1601817855b5d4c1bef85f9c921d2
Instruction Fuzzy Hash: 5F81AA70208241AFD714DF24D885F2ABBE9FF84348F14896DF5598B2A2DB31ED05DB92

Function 0054F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0054F7B9
SysAllocString.OLEAUT32(00000001), ref: 0054F860
VariantCopy.OLEAUT32(0054FA64,00000000), ref: 0054F889
VariantClear.OLEAUT32(0054FA64), ref: 0054F8AD
VariantCopy.OLEAUT32(0054FA64,00000000), ref: 0054F8B1
VariantClear.OLEAUT32(?), ref: 0054F8BB

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: fc307f06b8517bbb1cdb42cde1bc0ebc3917302b7c0d0fce7a7b54d04df33d79
Instruction ID: 8992eaee210485d61d0f3faec98c3d22d722b4e290d84537ede89ded14eb7014
Opcode Fuzzy Hash: fc307f06b8517bbb1cdb42cde1bc0ebc3917302b7c0d0fce7a7b54d04df33d79
Instruction Fuzzy Hash: ED51EA31A00311BACF24AF69D895BB9BBA4FF85318F145867E905DF291D7748C40C7A6

Function 0056910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005694E5
_wcslen.LIBCMT ref: 00569506
_wcslen.LIBCMT ref: 0056952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00569585

Strings

X, xrefs: 00569412

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 8829d7dfef441f744f979f9a62b3411373cd4e30358a03bef8039e10be451063
Instruction ID: 9bd1d210f22fee874e9a2ada4d1951cb8f26fc20652b2ab841e23469133d342b
Opcode Fuzzy Hash: 8829d7dfef441f744f979f9a62b3411373cd4e30358a03bef8039e10be451063
Instruction Fuzzy Hash: 23E1B131604341DFD724EF25C485A6ABBE4FF85318F04896DF9899B2A2DB34DD05CB92

Function 0050920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

BeginPaint.USER32(?,?,?), ref: 00509241
GetWindowRect.USER32(?,?), ref: 005092A5
ScreenToClient.USER32(?,?), ref: 005092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005092D3
EndPaint.USER32(?,?,?,?,?), ref: 00509321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005471EA

Part of subcall function 00509339: BeginPath.GDI32(00000000), ref: 00509357

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9828885408a05f3f1fe63bd79c00f62e3230c4021dcf80c4041fee6bfb9d87bb
Instruction ID: 312c4b34ef24f1227f7115fee108c68535016a792fffa24513f16abebf38a108
Opcode Fuzzy Hash: 9828885408a05f3f1fe63bd79c00f62e3230c4021dcf80c4041fee6bfb9d87bb
Instruction Fuzzy Hash: 84419D70104701AFD721DF24CC88FAA7FB8FB9A324F140629F994972E2C7719849EB61

Function 005607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0056080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00560847
EnterCriticalSection.KERNEL32(?), ref: 00560863
LeaveCriticalSection.KERNEL32(?), ref: 005608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00560921

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 0875a9c594eca14762891189726a1cf63e9de2ae5673c301d3f6a248fa5acf33
Instruction ID: 378923174b4d61bf996b3d35f13f9978c979f59d55484d8d8da663c35a3dac02
Opcode Fuzzy Hash: 0875a9c594eca14762891189726a1cf63e9de2ae5673c301d3f6a248fa5acf33
Instruction Fuzzy Hash: B7414871900205EBDF14EF54DC89AAA7BB9FF44310F1440A9ED01AB297DB30EE65DBA0

Function 005881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0054F3AB,00000000,?,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0058824C
EnableWindow.USER32(?,00000000), ref: 00588272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005882D1
ShowWindow.USER32(?,00000004), ref: 005882E5
EnableWindow.USER32(?,00000001), ref: 0058830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0058832F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ebd046c00fe98e1c8751b07573bdce898518f679a789db216f157131c89f1605
Instruction ID: c183bea16e00793ce0deb0960ad7ddc5aa98bfef3d0ec6672b406db4f3f80278
Opcode Fuzzy Hash: ebd046c00fe98e1c8751b07573bdce898518f679a789db216f157131c89f1605
Instruction Fuzzy Hash: 8641C438601A40AFDB22EF15CC99FB47FE0FB16714F581168ED09AF262CB31A845DB50

Function 00554C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00554C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00554CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00554CEA
_wcslen.LIBCMT ref: 00554D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00554D10
_wcsstr.LIBVCRUNTIME ref: 00554D1A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 71f5737a62c76f8e0367c57fd6dcfe58e51b5c962aa6860b4ea66f649f095450
Instruction ID: ce317a7af72ba3367614fc80029eb14353b3357d2feb817457db9e3f1eeba64f
Opcode Fuzzy Hash: 71f5737a62c76f8e0367c57fd6dcfe58e51b5c962aa6860b4ea66f649f095450
Instruction Fuzzy Hash: 4721C531204201BBEB259B2ADC59A7F7FACEF85755F10403AFC05DE191EA61DC849BA0

Function 0056581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

_wcslen.LIBCMT ref: 0056587B
CoInitialize.OLE32(00000000), ref: 00565995
CoCreateInstance.OLE32(0058FCF8,00000000,00000001,0058FB68,?), ref: 005659AE
CoUninitialize.OLE32 ref: 005659CC

Strings

.lnk, xrefs: 00565876, 005658C1, 00565985

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 59b4619d8681e0253cc16639c290c67bd5661dee837c4cac6352fb89a08926f8
Instruction ID: aeb4f912193719970a418a25468c99204a6ce384d741fdaa7193d51aadb335a0
Opcode Fuzzy Hash: 59b4619d8681e0253cc16639c290c67bd5661dee837c4cac6352fb89a08926f8
Instruction Fuzzy Hash: CCD172706087059FC714DF25C480A2ABBE5FF89718F14885EF98A9B361EB35EC45CB92

Function 0055175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00550FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00550FCA
Part of subcall function 00550FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00550FD6
Part of subcall function 00550FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00550FE5
Part of subcall function 00550FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00550FEC
Part of subcall function 00550FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00551002

GetLengthSid.ADVAPI32(?,00000000,00551335), ref: 005517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005517BA
HeapAlloc.KERNEL32(00000000), ref: 005517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005517DA
GetProcessHeap.KERNEL32(00000000,00000000,00551335), ref: 005517EE
HeapFree.KERNEL32(00000000), ref: 005517F5

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 26efad846c63e57738e42b6c6e2a8dca805a66b83ac37db0791ba3be3980190e
Instruction ID: 3d40541e99c97819995c6280f5d12f6db01f643f1ac2543b25646bbb1c795d2a
Opcode Fuzzy Hash: 26efad846c63e57738e42b6c6e2a8dca805a66b83ac37db0791ba3be3980190e
Instruction Fuzzy Hash: 6F11BE31520A05FFDB149FA8CC99BAE7FA9FF49356F10411AFC41A7210C735A948DB68

Function 005514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00551506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00551515
CloseHandle.KERNEL32(00000004), ref: 00551520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0055154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00551563

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 65d91191d709f816eb544c816931edba903f3d824f59a08f176c42ca4d2b903b
Instruction ID: 016a3142e12504b8ac31d17696d8cfcc22efb78182001d0e2a2f77118b122c66
Opcode Fuzzy Hash: 65d91191d709f816eb544c816931edba903f3d824f59a08f176c42ca4d2b903b
Instruction Fuzzy Hash: 10116472100209EBDF118FA8ED09FDE3FA9FB48749F044029FE05A2060D3758E68EB64

Function 00513382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00513379,00512FE5), ref: 00513390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0051339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005133B7
SetLastError.KERNEL32(00000000,?,00513379,00512FE5), ref: 00513409

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0a303a5295db30b79a30df9d9122ebc5704936be87e0b3c2a1ba4a2467a045f6
Instruction ID: a0a8070b6fc4b5b235475cdc924311636a741493aa95cee7a5bd23387908aa37
Opcode Fuzzy Hash: 0a303a5295db30b79a30df9d9122ebc5704936be87e0b3c2a1ba4a2467a045f6
Instruction Fuzzy Hash: 87012832308312BEBB143B747CED5DB2E54FB653757200729F420841F0EF516D8AA558

Function 00522D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00525686,00533CD6,?,00000000,?,00525B6A,?,?,?,?,?,0051E6D1,?,005B8A48), ref: 00522D78
_free.LIBCMT ref: 00522DAB
_free.LIBCMT ref: 00522DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0051E6D1,?,005B8A48,00000010,004F4F4A,?,?,00000000,00533CD6), ref: 00522DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0051E6D1,?,005B8A48,00000010,004F4F4A,?,?,00000000,00533CD6), ref: 00522DEC
_abort.LIBCMT ref: 00522DF2

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a95bfaabd6cbabb223da68ef5343e54b29c71d166e5248d4196785e391c32ae1
Instruction ID: e72b77b95c639c52d74d0568bcc8b4ea1226be1d6ee567c3cabd2e925fe91288
Opcode Fuzzy Hash: a95bfaabd6cbabb223da68ef5343e54b29c71d166e5248d4196785e391c32ae1
Instruction Fuzzy Hash: C8F0C83E50463277C3122738BC0EE5B2E59BFD37A1F240928F829E21D2EE3498475270

Function 00588A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00509639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00509693
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096A2
Part of subcall function 00509639: BeginPath.GDI32(?), ref: 005096B9
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00588A4E
LineTo.GDI32(?,00000003,00000000), ref: 00588A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00588A70
LineTo.GDI32(?,00000000,00000003), ref: 00588A80
EndPath.GDI32(?), ref: 00588A90
StrokePath.GDI32(?), ref: 00588AA0

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7236b957968a242e844475576cb8bb253c50305a3246931b9a6815ac9a88afbe
Instruction ID: 9547a88ca9545652a6a237982ff1f3a00f2481d6423c9a792215f60bd680a802
Opcode Fuzzy Hash: 7236b957968a242e844475576cb8bb253c50305a3246931b9a6815ac9a88afbe
Instruction Fuzzy Hash: A5110976000109FFDB129F90DC88EAA7F6DEB19390F008052BE19AA1A1C7719D59EBA0

Function 005551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00555218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00555229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00555230
ReleaseDC.USER32(00000000,00000000), ref: 00555238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0055524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00555261

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b0fffd8cdfed8e7b577af2c33f83dd6ca26c4f552ca8283a61674fe2a022ceb9
Instruction ID: 62553dab48c5bcb0c8e40e46543be15a8df5c3cc0d58a37de8bb559c3bb5eb27
Opcode Fuzzy Hash: b0fffd8cdfed8e7b577af2c33f83dd6ca26c4f552ca8283a61674fe2a022ceb9
Instruction Fuzzy Hash: 1A014475A00715BBEB109BB69C49A5EBF78FF54751F044065FE04E7281D6709808DB60

Function 004F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 004F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 004F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 004F1C22

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2c022750fd6d047b42c91e1885be1b88a31f28640a1a03b022cad67b80377421
Instruction ID: 0108bba8de721f999fc51ef1c4afd3888e957bfd08d65140bbe2fc876ca1a7bf
Opcode Fuzzy Hash: 2c022750fd6d047b42c91e1885be1b88a31f28640a1a03b022cad67b80377421
Instruction Fuzzy Hash: 45016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C4B941C7F5A868CBE5

Function 0055EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0055EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0055EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0055EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055EB75

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6b58f84c9dc21935ea9d302ef6dbbb374195e7f02cf1ecc05a5380cf1fbbc918
Instruction ID: 7f565e3adc753139f8a0d5234090b01b07d85dcaea5d04c03637deee55234a8b
Opcode Fuzzy Hash: 6b58f84c9dc21935ea9d302ef6dbbb374195e7f02cf1ecc05a5380cf1fbbc918
Instruction Fuzzy Hash: 5DF06D72100118BBE62057529C0EEAB3E7CEBDAB11F001168FA01E1091E7B01A09E7B4

Function 00547439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00547452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00547469
GetWindowDC.USER32(?), ref: 00547475
GetPixel.GDI32(00000000,?,?), ref: 00547484
ReleaseDC.USER32(?,00000000), ref: 00547496
GetSysColor.USER32(00000005), ref: 005474B0

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: e3af4f1043fe3df8c50d2ada4e8b75e915d094d5c7b3c21c2dc90049da4f5ba8
Instruction ID: 2a3ec8417a4dd379866d4a7ffa6f0073ae205b66c2dd13b8fb205bf13de5fdde
Opcode Fuzzy Hash: e3af4f1043fe3df8c50d2ada4e8b75e915d094d5c7b3c21c2dc90049da4f5ba8
Instruction Fuzzy Hash: 19017831400609EFDB105FA4EC08BEA7FB5FF18321F1014A0FD16A21A1CB311E45AB60

Function 00551874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0055187F
UnloadUserProfile.USERENV(?,?), ref: 0055188B
CloseHandle.KERNEL32(?), ref: 00551894
CloseHandle.KERNEL32(?), ref: 0055189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005518A5
HeapFree.KERNEL32(00000000), ref: 005518AC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2929cc0a530001494e787ad6556978beca4daa7026292d275b633b144cf34893
Instruction ID: 21a86487d4250e4f4dd1b8d955ef9b7f416c6268cfc34b7755968c2997259cfc
Opcode Fuzzy Hash: 2929cc0a530001494e787ad6556978beca4daa7026292d275b633b144cf34893
Instruction Fuzzy Hash: 22E0E536004101BBDB015FA1ED0CD0ABF39FF69B22B109624FA25A1474CB329425FF60

Function 004FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FBEB3

Strings

D%\, xrefs: 004FBDED, 004FBD91, 004FBD1B
D%\D%\, xrefs: 004FBCA5
D%\, xrefs: 004FBCA2
D%\, xrefs: 004FBE9A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%\$D%\$D%\$D%\D%\
API String ID: 1385522511-524531416
Opcode ID: 6df645743af1e2ebe853b45ac12f16a8dde07a8e1e953b7b980b5787d9a26581
Instruction ID: 17efc7d9968bb4c20802f422eb2c5716171583a6fe28ac21402c0cc29c7c68f2
Opcode Fuzzy Hash: 6df645743af1e2ebe853b45ac12f16a8dde07a8e1e953b7b980b5787d9a26581
Instruction Fuzzy Hash: 64912875A0020ACFCB18CF58C090ABABBF1FF5A310F24816EDA55AB350D735A981DBD5

Function 00577B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00510242: EnterCriticalSection.KERNEL32(005C070C,005C1884,?,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051024D
Part of subcall function 00510242: LeaveCriticalSection.KERNEL32(005C070C,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051028A

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 005100A3: __onexit.LIBCMT ref: 005100A9

__Init_thread_footer.LIBCMT ref: 00577BFB

Part of subcall function 005101F8: EnterCriticalSection.KERNEL32(005C070C,?,?,00508747,005C2514), ref: 00510202
Part of subcall function 005101F8: LeaveCriticalSection.KERNEL32(005C070C,?,00508747,005C2514), ref: 00510235

Strings

5, xrefs: 00577C78
Variable must be of type 'Object'., xrefs: 00577C3A
+TT, xrefs: 00577E2E
G, xrefs: 00577C7F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TT$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2382484226
Opcode ID: b88a5d999d08b5b7a373ca17cfdc4dadd30d729208fab1ad3319c1b8a610e5af
Instruction ID: b60833b321c9b855aa48b42e6b0201fdb109bd678d70d1280737402a86a10089
Opcode Fuzzy Hash: b88a5d999d08b5b7a373ca17cfdc4dadd30d729208fab1ad3319c1b8a610e5af
Instruction Fuzzy Hash: 32918C70A04209AFCB14EF94E895DBDBFB5FF48304F108459F81AAB291DB71AE41EB50

Function 0055C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0055C6EE
_wcslen.LIBCMT ref: 0055C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0055C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0055C7CA

Strings

0, xrefs: 0055C6AF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: dc4a57253388bae28e666982bc3c084bf160e022f04a958fcc72a7a4e465f421
Instruction ID: 563edcc0210f8fcbc6b711e486bc313215267c35cb01d3c9e55a1390a7b2f563
Opcode Fuzzy Hash: dc4a57253388bae28e666982bc3c084bf160e022f04a958fcc72a7a4e465f421
Instruction Fuzzy Hash: 0551DE716243019FD7109E28C8A4B6ABFE8FB89315F040A2EFD95E3591DB74D908CB96

Function 0057AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0057AEA3

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

GetProcessId.KERNEL32(00000000), ref: 0057AF38
CloseHandle.KERNEL32(00000000), ref: 0057AF67

Strings

@, xrefs: 0057AE72
<, xrefs: 0057AE6B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 856e1c30a4d27aaf5a925cd841a7f91c8d0049e5bc1d52d02a0b67b17003fe23
Instruction ID: e09ec90fee08128e5e0ac5b499d0817ef5f9e5ed82f434668b44f53464e5785b
Opcode Fuzzy Hash: 856e1c30a4d27aaf5a925cd841a7f91c8d0049e5bc1d52d02a0b67b17003fe23
Instruction Fuzzy Hash: 56718974A00219DFCB14DF55D484AAEBBF4FF48318F04849AE81AAB392C778ED45DB91

Function 0055719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00557206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0055723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0055724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005572CF

Strings

DllGetClassObject, xrefs: 00557242

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 69fe0fe3d47617963285c108e5f849d665cb7f3f66f003f54022a8b6667d2f17
Instruction ID: b76126e1d642c7c76da98000d2b55dd3649e5973ace13e3edc723a0b21fe6dde
Opcode Fuzzy Hash: 69fe0fe3d47617963285c108e5f849d665cb7f3f66f003f54022a8b6667d2f17
Instruction Fuzzy Hash: D8419175604208EFDB15CF54D894A9A7FA9FF48311F2480AABD059F20AD7B0DA49DBA0

Function 00583D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00583E35
IsMenu.USER32(?), ref: 00583E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00583E92
DrawMenuBar.USER32 ref: 00583EA5

Strings

0, xrefs: 00583D89

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 6caeb8affc5f20ccbd0adbd76d864dc7f91cd61a2c812ed890b3f7764a1252eb
Instruction ID: 0cfbfc7c5bb2b041717d032b984a2f0fd44f06a19ebbf41661babdf01cc13289
Opcode Fuzzy Hash: 6caeb8affc5f20ccbd0adbd76d864dc7f91cd61a2c812ed890b3f7764a1252eb
Instruction Fuzzy Hash: 4B414575A01209AFDF10EF60D884EAABBB9FF59754F044129ED05AB250D730AE54DF60

Function 00551DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00551E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00551E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00551EA9

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Strings

ListBox, xrefs: 00551E25
ComboBox, xrefs: 00551DF0

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 4eb9e24b5cac80d2445843ad5de9c174ed4bcf74313c9635626cb21a1bbdab18
Instruction ID: 149b7e478923e56ebcde8551b402162c3b1300b938647e93ab05e061aeea9f5d
Opcode Fuzzy Hash: 4eb9e24b5cac80d2445843ad5de9c174ed4bcf74313c9635626cb21a1bbdab18
Instruction Fuzzy Hash: 77210471A00108AADB14AB65CC56EFFBFADBF41394B14412EFC25A72E0DB384D0D9624

Function 00582F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00582F8D
LoadLibraryW.KERNEL32(?), ref: 00582F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00582FA9
DestroyWindow.USER32(?), ref: 00582FB1

Strings

SysAnimate32, xrefs: 00582F68

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: c5a9df02fe4c9887fc2e10e012473548c6ccd1c11cb4537729a59cbdfc0fb73a
Instruction ID: f9b708de27533462a715b01a900cba4b72a7ee68ec29a4f00bbaeb153f0766cb
Opcode Fuzzy Hash: c5a9df02fe4c9887fc2e10e012473548c6ccd1c11cb4537729a59cbdfc0fb73a
Instruction Fuzzy Hash: 43218871204209ABEB106F649C86EBB3FB9FF59368F100628FE50E6190D671DC51EB60

Function 00514D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00514D1E,005228E9,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002), ref: 00514D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00514DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00514D1E,005228E9,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002,00000000), ref: 00514DC3

Strings

mscoree.dll, xrefs: 00514D86
CorExitProcess, xrefs: 00514D98

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3dbe3f3354e3da9a1ddad49dcce0e5a2888249cf655f858f6f04f44ea3811917
Instruction ID: 8e8f1154d2e48608115675e70f31cca0662a86be3c0858602a2d33e4f99b4d46
Opcode Fuzzy Hash: 3dbe3f3354e3da9a1ddad49dcce0e5a2888249cf655f858f6f04f44ea3811917
Instruction Fuzzy Hash: 88F03C35A40208ABEB119B90EC49BEDBFA5FF54752F0011A8B905A62A0CB705989DFA1

Function 004F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F4EAE
FreeLibrary.KERNEL32(00000000,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4EC0

Strings

kernel32.dll, xrefs: 004F4E94
Wow64DisableWow64FsRedirection, xrefs: 004F4EA8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c0149ec74392b65d10fcac10dad7d4b1e71d0ca77d541319dc7379a9cda12280
Instruction ID: f690807cf26a7227823f3a3772cbac17e437c4bf32ccffed9ee5a9ed4952a67c
Opcode Fuzzy Hash: c0149ec74392b65d10fcac10dad7d4b1e71d0ca77d541319dc7379a9cda12280
Instruction Fuzzy Hash: 93E04636A02A225BD3221B25AC5CA6B6A58AFD2B63B050116AE00F2340DF788909D2B4

Function 004F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F4E74
FreeLibrary.KERNEL32(00000000,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 004F4E6E
kernel32.dll, xrefs: 004F4E5B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 193d2fcfa3e63118cc0d87c4e4df39112ef6a967635902c407ca950f88783e71
Instruction ID: 9a14434c4a2f7c895d8af7114585d2a0d1f6869e0c4647cd371256f5c67256ee
Opcode Fuzzy Hash: 193d2fcfa3e63118cc0d87c4e4df39112ef6a967635902c407ca950f88783e71
Instruction Fuzzy Hash: 1DD0C231602A215787321B247C0CE9B2E18BFC1F213450212BE00B6210CF38CD09D7F4

Function 00562947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00562C05
DeleteFileW.KERNEL32(?), ref: 00562C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00562C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00562CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00562CC0

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 8e41ee1007eb27f4f0cc320240021dc5c1a95441638fc72799cb05d50e257cd7
Instruction ID: 429e785b9e7b309311a6d5dc76f251f53ffe9cc49ee2de37fd634faccdb4d44c
Opcode Fuzzy Hash: 8e41ee1007eb27f4f0cc320240021dc5c1a95441638fc72799cb05d50e257cd7
Instruction Fuzzy Hash: 38B14E7190051EABDF21DBA4CC89EEEBBBDFF48354F1040A6F609E7151EA349A448F61

Function 0057A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0057A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0057A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0057A468
CloseHandle.KERNEL32(?), ref: 0057A63D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 4570cc7dda3fec6bc2ace8cf07c660dde2d937d1d292876c966c4e790ebfab91
Instruction ID: 0d4944b50a5568cb5a6bfd4d31eafcc35c6dfcf3c98c6704e5a920cebf720cbc
Opcode Fuzzy Hash: 4570cc7dda3fec6bc2ace8cf07c660dde2d937d1d292876c966c4e790ebfab91
Instruction Fuzzy Hash: D0A1B171604301AFDB20DF24D886F2ABBE5BF84714F14881DF95A9B2D2D7B4EC418B96

Function 0055E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0055CF22,?), ref: 0055DDFD

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0055CF22,?), ref: 0055DE16

Part of subcall function 0055E199: GetFileAttributesW.KERNEL32(?,0055CF95), ref: 0055E19A

lstrcmpiW.KERNEL32(?,?), ref: 0055E473
MoveFileW.KERNEL32(?,?), ref: 0055E4AC
_wcslen.LIBCMT ref: 0055E5EB
_wcslen.LIBCMT ref: 0055E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0055E650

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 64d8708f370c298b5739c7c93a00afe2a9ecdb88580ae3d2a67e41f0eb712b80
Instruction ID: 42d21bce0d76f36e74f3739dc1e954d0323b059d66057c5d1060a37aec2c96ac
Opcode Fuzzy Hash: 64d8708f370c298b5739c7c93a00afe2a9ecdb88580ae3d2a67e41f0eb712b80
Instruction Fuzzy Hash: 4D5170B24083459BDB28EB90D8959DB7BECAF84341F00091FFA89D3151EF35A68C8766

Function 0057B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0057BB63
RegCloseKey.ADVAPI32(?,?), ref: 0057BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0057BBB3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 636e723bc0ca054fb11cf29ed6325cde1cfeeb1005eff7407c72918d251f66ea
Instruction ID: 4edd9fbec5908848d42e7f14501ac65a2aaa0f962e980790c8e959e2c1d62f1f
Opcode Fuzzy Hash: 636e723bc0ca054fb11cf29ed6325cde1cfeeb1005eff7407c72918d251f66ea
Instruction Fuzzy Hash: 9361CC70208241AFD314EF24D494F2ABBE5FF84348F14896DF4998B2A2CB31ED45DB92

Function 00558BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00558BCD
VariantClear.OLEAUT32 ref: 00558C3E
VariantClear.OLEAUT32 ref: 00558C9D
VariantClear.OLEAUT32(?), ref: 00558D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00558D3B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e126fc76770e39e5c252c45162991b644df177a277c0d28b8e1cf4a5361a120b
Instruction ID: 26ce9d003480703850f1c8356541e43182678f485165bd823a4f86d2b548dd30
Opcode Fuzzy Hash: e126fc76770e39e5c252c45162991b644df177a277c0d28b8e1cf4a5361a120b
Instruction Fuzzy Hash: 61515C75A00219DFCB14CF58C894AAABBF5FF89311B15855AED05EB350E730E915CF90

Function 00568AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00568BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00568BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00568C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00568C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00568C5F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5d4580e8d98516a7773aba89f5fb4c1c31151f7395332851cc40861eb121954b
Instruction ID: 477fc86e2db75fafc40318e5588a4043989118aa0b06d528dedb868f1b0999cc
Opcode Fuzzy Hash: 5d4580e8d98516a7773aba89f5fb4c1c31151f7395332851cc40861eb121954b
Instruction Fuzzy Hash: 7F515E35A00219AFDB10DF65C880E6DBBF5FF48318F088459E949AB3A2CB35ED45DB90

Function 00578EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00578F40
GetProcAddress.KERNEL32(00000000,?), ref: 00578FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00578FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00579032
FreeLibrary.KERNEL32(00000000), ref: 00579052

Part of subcall function 0050F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00561043,?,753CE610), ref: 0050F6E6
Part of subcall function 0050F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0054FA64,00000000,00000000,?,?,00561043,?,753CE610,?,0054FA64), ref: 0050F70D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 302da5569da81dc623c0974684cdcf7fc2a3621a1e2f0dd5b1f41fd61c3f8e03
Instruction ID: 71a1ca250450c34929f054c37151a61a8cec3e4d48caecc1b24f4a05a55a754f
Opcode Fuzzy Hash: 302da5569da81dc623c0974684cdcf7fc2a3621a1e2f0dd5b1f41fd61c3f8e03
Instruction Fuzzy Hash: EC513934600205DFCB11DF59D4989ADBFB1FF49358B048099E90AAB362DB35ED85DB90

Function 00586B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00586C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00586C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00586C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0056AB79,00000000,00000000), ref: 00586C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00586CC7

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 6984522041f6db56d2cbf398ec3a2e81877277532741cff8644336651c57f527
Instruction ID: 30808ce010c0f33b9125a5735e965253125879a34523c27a913fe1e332e2badc
Opcode Fuzzy Hash: 6984522041f6db56d2cbf398ec3a2e81877277532741cff8644336651c57f527
Instruction Fuzzy Hash: 3941AD35A04104AFDB24EF28CC58FA97FA5FB09360F140628EC99BB2A0C371ED41DB50

Function 00522051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005220C3
_free.LIBCMT ref: 005220E3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a2a8c313701d4dd797082f499640ab7e0bcd8984138f543abb3326eda9cc149a
Instruction ID: f4781d595fa8fc89f164460b4941c9345e4d6d6b73dd781d4daaea7e9faa1559
Opcode Fuzzy Hash: a2a8c313701d4dd797082f499640ab7e0bcd8984138f543abb3326eda9cc149a
Instruction Fuzzy Hash: CF41D23AA00214AFDB24DF78D885A5DBBA5FF8A314F154568E615EB391DB31AD01CB80

Function 0050912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00509141
ScreenToClient.USER32(00000000,?), ref: 0050915E
GetAsyncKeyState.USER32(00000001), ref: 00509183
GetAsyncKeyState.USER32(00000002), ref: 0050919D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 51e8be190fc1990ddc89e3ac8e07527eaf4fc79e3fe34a6ce6a412d7041e7ec6
Instruction ID: 2f35a03a06683654078966e83e2f939d95ea87ac7a514596f36af43defc554d8
Opcode Fuzzy Hash: 51e8be190fc1990ddc89e3ac8e07527eaf4fc79e3fe34a6ce6a412d7041e7ec6
Instruction Fuzzy Hash: D0415C71A0860BBBDF159F64C848BEEBF74FF49324F208219E829A62D5C7306954DB91

Function 00563874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00563922
TranslateMessage.USER32(?), ref: 0056394B
DispatchMessageW.USER32(?), ref: 00563955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00563966

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c0ea7a74d075069cef0dc2ed41d89bfa861765ffa7ed355694edf96ad42e74a5
Instruction ID: 68bf4082ccd283e59088f9ba99942beb67c4fc914019c57b5fb0c95ea3d73d3b
Opcode Fuzzy Hash: c0ea7a74d075069cef0dc2ed41d89bfa861765ffa7ed355694edf96ad42e74a5
Instruction Fuzzy Hash: 49318670504B429EEB35CF34D849FB63FA8FB26304F14096DE452931A1E7B49A89DF25

Function 0056CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0056C21E,00000000), ref: 0056CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0056CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0056C21E,00000000), ref: 0056CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0056C21E,00000000), ref: 0056CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0056C21E,00000000), ref: 0056CFF2

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: cab109c1e669789756d2c31a789969576e30cd16f5f9b60f93f2bb8ca1255763
Instruction ID: a3c3e3736d196e2cb22d37e4d98ceaf3b2d72fd6f11cd0efd7d1104fcfc96876
Opcode Fuzzy Hash: cab109c1e669789756d2c31a789969576e30cd16f5f9b60f93f2bb8ca1255763
Instruction Fuzzy Hash: B8314B71600206EFDB20DFA5D8889BBBFF9FB54354B10442EF556E3241DB30AE459B60

Function 00551901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00551915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005519E2

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dcdd52c3bead9f19e13a0f033d6f278c565dfd9854448cefda15aae1489c8b70
Instruction ID: 0afe55da1736b3f2618e5a6e461c9c7b35318191e0ce691b12caabcc9db06ce3
Opcode Fuzzy Hash: dcdd52c3bead9f19e13a0f033d6f278c565dfd9854448cefda15aae1489c8b70
Instruction Fuzzy Hash: 68319E71A00219EFCB00CFA8C9A9B9E7FB5FB54315F10422AFD21AB2D1C7709948DB90

Function 00585706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00585745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0058579D
_wcslen.LIBCMT ref: 005857AF
_wcslen.LIBCMT ref: 005857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00585816

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ef1fad02d11082879055144a01a92baa6280d2815c53beddd70f986612a1fedd
Instruction ID: 1fa1c053497fa8d5207b463e83c44ddd8223fb53f294cbe0ab43d3158e90d614
Opcode Fuzzy Hash: ef1fad02d11082879055144a01a92baa6280d2815c53beddd70f986612a1fedd
Instruction Fuzzy Hash: 8321A2319046189ADF21AFA4CC84AEEBFB8FF54320F108616ED29FA190E7708985CF50

Function 00570930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00570951
GetForegroundWindow.USER32 ref: 00570968
GetDC.USER32(00000000), ref: 005709A4
GetPixel.GDI32(00000000,?,00000003), ref: 005709B0
ReleaseDC.USER32(00000000,00000003), ref: 005709E8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 611e2b847e00976160a8b5fdb50c684a6275260868f6f32dbb44374ff15f09da
Instruction ID: 05dee59f52bd6391c9b355af96a6d51d57df055b0b79ba976afef32de0fab01d
Opcode Fuzzy Hash: 611e2b847e00976160a8b5fdb50c684a6275260868f6f32dbb44374ff15f09da
Instruction Fuzzy Hash: 0A216F35600204AFD704EF69D989AAEBFE9FF44744F04846DE94AA7352DB34EC04DBA0

Function 0052CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0052CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0052CDE9

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0052CE0F
_free.LIBCMT ref: 0052CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0052CE31

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 84b5979bb748b308159142f0e9b6c34910f250f83c5ae5c9a1532d1c22e20eac
Instruction ID: c2bc17351f399ea153f88ef2a3da253a5ab2eff20b79b509e8d2a8365f1d603d
Opcode Fuzzy Hash: 84b5979bb748b308159142f0e9b6c34910f250f83c5ae5c9a1532d1c22e20eac
Instruction Fuzzy Hash: D00171726026257F232216B67C8CD7F6D6DFEC7BA13160129FD05D7282EA618D0292B1

Function 00509639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00509693
SelectObject.GDI32(?,00000000), ref: 005096A2
BeginPath.GDI32(?), ref: 005096B9
SelectObject.GDI32(?,00000000), ref: 005096E2

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d5e0b9fb64b79f1affe53c2cf826b1d974f73fa09b92df0b83950c58ef9cb0c9
Instruction ID: 231c686cba4ba4845116f9d5952e632df4777b305d82ca84f5cbcf3aaea1edd9
Opcode Fuzzy Hash: d5e0b9fb64b79f1affe53c2cf826b1d974f73fa09b92df0b83950c58ef9cb0c9
Instruction Fuzzy Hash: 9C217170801B09EFDB119F64EC08BAD3FB4BB61755F100215F811A71E6D3719859EB98

Function 00555711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00555726
_memcmp.LIBVCRUNTIME ref: 00555744
_memcmp.LIBVCRUNTIME ref: 00555757
_memcmp.LIBVCRUNTIME ref: 0055576F
_memcmp.LIBVCRUNTIME ref: 00555787

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2cc3f02c4fdae2c561e510510b075cef5fa72baab72a14ff1d45b7cc738574a3
Instruction ID: 83f66314ef1f3781c7ee3c7db95d920a5e93d553dd51a06292bc6e261a8e9c0a
Opcode Fuzzy Hash: 2cc3f02c4fdae2c561e510510b075cef5fa72baab72a14ff1d45b7cc738574a3
Instruction Fuzzy Hash: 8001F961251A09BBE20861119D72FFB7F5CFB683D6F100422FE05AA241F720EE5483A4

Function 0055000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?,?,0055035E), ref: 0055002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?), ref: 00550064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550070

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 41a83b1a1a3158aa04227c76a2956a14f8629e42c1f85aba4b6ce6886bff8a6a
Instruction ID: d9b53a5fa9ee7ddf9c5f928cc394796dcdae82dd35ad3c4b96821c16a5ab9814
Opcode Fuzzy Hash: 41a83b1a1a3158aa04227c76a2956a14f8629e42c1f85aba4b6ce6886bff8a6a
Instruction Fuzzy Hash: C2018F72600204BFDB104F69DC08BAA7EADFB44752F546125FD05E22A0D771DD48ABA0

Function 0055E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0055E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0055E9A5
Sleep.KERNEL32(00000000), ref: 0055E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0055E9B7
Sleep.KERNEL32 ref: 0055E9F3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b88d9c85624ef431dfd0335e984c40ddd38912ae5f171a37762fb5b39ab0635f
Instruction ID: 04bd6edc157cde6116a4bdcee8c13953b7344567f8c6edd425b3cc92676cc77c
Opcode Fuzzy Hash: b88d9c85624ef431dfd0335e984c40ddd38912ae5f171a37762fb5b39ab0635f
Instruction Fuzzy Hash: 1B015731C01629DBCF04ABE4D8AEAEDBF78BB19302F000546E912B2241DB309658DBA1

Function 005510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 0055112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0055114D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b5db23affd37ea1193ac919f1dddf6ba48911c9327bc1710e57a70590e2de36a
Instruction ID: 5b2725359efb55ab53947f88874cb069b1ee316aaa74f588aa953cc7fec72183
Opcode Fuzzy Hash: b5db23affd37ea1193ac919f1dddf6ba48911c9327bc1710e57a70590e2de36a
Instruction Fuzzy Hash: 5B014675200605AFDB114BA4EC89A6A3F6EEF893A1B210459FE41E2260DB31DC04EB70

Function 00550FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00550FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00550FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00550FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00550FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00551002

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 548ecc46d7149afc0a4880740e9f947bd7d5b2035b1e3b44db36440bfefd1770
Instruction ID: 6f86616aa1a9876118af4aeccd6489697a16d67899a905dbc9c8589743305bf2
Opcode Fuzzy Hash: 548ecc46d7149afc0a4880740e9f947bd7d5b2035b1e3b44db36440bfefd1770
Instruction Fuzzy Hash: 0CF08735200301EBDB210FA5AC8DF5A3FA9FF99762F500415FE05AA2A0DA30E8449B70

Function 00551014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0055102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00551036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0055104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551062

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4b8e13848fdb19141faacec7786e2a7f1de7c281878ef122da1f26233ca14b28
Instruction ID: 5773515caa62e809d2da9054621dceb4f1d119d9dc93fb7bdfd0ea5bdb50c81a
Opcode Fuzzy Hash: 4b8e13848fdb19141faacec7786e2a7f1de7c281878ef122da1f26233ca14b28
Instruction Fuzzy Hash: 54F03735200711EBDB215FA6EC9DF5A3FADFF99662F200415FE45AA2A0CA70D8449B70

Function 0056030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560324
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560331
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 0056033E
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 0056034B
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560358
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560365

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fbc15be1e9ee5505ed70a464ce56c79526ba6c59d1fbffcfdbd477edad50e6c5
Instruction ID: 9157d27f7e4dbd0bbd68af61d6ce7f3e1817db4d7f0669fd80b972a19ebf4e88
Opcode Fuzzy Hash: fbc15be1e9ee5505ed70a464ce56c79526ba6c59d1fbffcfdbd477edad50e6c5
Instruction Fuzzy Hash: 0101DC72900B118FCB30AF66D880803FBF9BE602063049E3ED19252A70C3B0A988DF80

Function 0052D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0052D752

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052D764
_free.LIBCMT ref: 0052D776
_free.LIBCMT ref: 0052D788
_free.LIBCMT ref: 0052D79A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a1e88271189b3584d8f16097a959608470c007d38ba735cace81bd5f62ddf1b4
Instruction ID: 37288e8e8b338178870eebea87e7eccfea11a61d0c48984fafa14317ee63cafa
Opcode Fuzzy Hash: a1e88271189b3584d8f16097a959608470c007d38ba735cace81bd5f62ddf1b4
Instruction Fuzzy Hash: D0F03C32504625AB8661EB64F9C5D167FEDFF4A310BA80C05F049D7582C728FCC08674

Function 00555C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00555C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00555C6F
MessageBeep.USER32(00000000), ref: 00555C87
KillTimer.USER32(?,0000040A), ref: 00555CA3
EndDialog.USER32(?,00000001), ref: 00555CBD

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d0ec61a17feb230a8063301f0a93249d6333ec81ff96e7864a149fb5f5f7a0fa
Instruction ID: d364d5b26de1b84db588f2830b16cafc53d0dfd136d1c89cf1163a96eca241be
Opcode Fuzzy Hash: d0ec61a17feb230a8063301f0a93249d6333ec81ff96e7864a149fb5f5f7a0fa
Instruction Fuzzy Hash: 6B018B305007049BEB205B15DD6EFA57FB8BF10706F00156AA953B14E1E7F46D4C9B50

Function 005222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005222BE

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 005222D0
_free.LIBCMT ref: 005222E3
_free.LIBCMT ref: 005222F4
_free.LIBCMT ref: 00522305

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1cad38b2f35d1456ef4aaf90c06edf01498af6e67d65782b2c6d8721df60b5e9
Instruction ID: 991bb1a067fc17ad9979c32a9a8ad53962ae4240f4e0492523a9749bc4c1a63e
Opcode Fuzzy Hash: 1cad38b2f35d1456ef4aaf90c06edf01498af6e67d65782b2c6d8721df60b5e9
Instruction Fuzzy Hash: 61F01D7E800932AF8612AF54BC05C483F64FB3A751B41160AF418D22F2C73514D5BAA8

Function 005095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005095D4
StrokeAndFillPath.GDI32(?,?,005471F7,00000000,?,?,?), ref: 005095F0
SelectObject.GDI32(?,00000000), ref: 00509603
DeleteObject.GDI32 ref: 00509616
StrokePath.GDI32(?), ref: 00509631

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4cf92d1122fbce94cbc6bf74944575d24676dcc19b78bac3be0156763d9d60f0
Instruction ID: 4f521d53bcd5723f6a2d97a6f9c515483fa6616c5982466dd4c240c1f900550d
Opcode Fuzzy Hash: 4cf92d1122fbce94cbc6bf74944575d24676dcc19b78bac3be0156763d9d60f0
Instruction Fuzzy Hash: 49F03C30005E08EFDB525F65ED1CB683F61BB22362F048214F825650F2C73189A9FF28

Function 00520F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005210F9
__freea.LIBCMT ref: 00521117

Part of subcall function 00521537: _free.LIBCMT ref: 0052154F

Strings

am/pm, xrefs: 0052117A
a/p, xrefs: 005211DE

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e42d355f466611826be57ef3bb4f10f0e7361a8ecb662a167520957b3a33c7da
Instruction ID: 5961793179dbf644691af7fe18d1e5abf505e9a6fc7ea462c5bd2795a3b77847
Opcode Fuzzy Hash: e42d355f466611826be57ef3bb4f10f0e7361a8ecb662a167520957b3a33c7da
Instruction Fuzzy Hash: 6DD1E335900A26DBDB24CF68E8896BBBFB2FF37310F240959E5019B6D0D2359D81CB59

Function 005761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00510242: EnterCriticalSection.KERNEL32(005C070C,005C1884,?,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051024D
Part of subcall function 00510242: LeaveCriticalSection.KERNEL32(005C070C,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051028A

Part of subcall function 005100A3: __onexit.LIBCMT ref: 005100A9

__Init_thread_footer.LIBCMT ref: 00576238

Part of subcall function 005101F8: EnterCriticalSection.KERNEL32(005C070C,?,?,00508747,005C2514), ref: 00510202
Part of subcall function 005101F8: LeaveCriticalSection.KERNEL32(005C070C,?,00508747,005C2514), ref: 00510235

Part of subcall function 0056359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005635E4
Part of subcall function 0056359C: LoadStringW.USER32(005C2390,?,00000FFF,?), ref: 0056360A

Strings

x#\, xrefs: 0057633A
x#\, xrefs: 00576353
x#\, xrefs: 0057636F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#\$x#\$x#\
API String ID: 1072379062-1758250086
Opcode ID: a92c35333dc577c9445eae2ebd434046b473125935731f53da880e82fd94258c
Instruction ID: 13a5e13e8e00ca8249c6e7323a7b12d56b772d94d2acffe84785847ced4e330d
Opcode Fuzzy Hash: a92c35333dc577c9445eae2ebd434046b473125935731f53da880e82fd94258c
Instruction Fuzzy Hash: C7C19371A0050AAFCB14DF98D895EBEBBB9FF48300F148469F9099B291DB70ED45DB90

Function 00525AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOO, xrefs: 00525BA8, 00525C6C

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: JOO
API String ID: 0-332324559
Opcode ID: 3aa16df302615e315110e76043f0e083397f7a9caf1e75ff64c77b475fbf05ff
Instruction ID: 9e8eef30e6ca0bbc4c7287468706ea3a9acd8cdd8ae8bd90ff558789fc7797b1
Opcode Fuzzy Hash: 3aa16df302615e315110e76043f0e083397f7a9caf1e75ff64c77b475fbf05ff
Instruction Fuzzy Hash: 3F51CF75E0062AAFDB219FA4E849EEEBFB8BF86310F140419F405B72D1F6319D419B61

Function 00528A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00528B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00528B7A
__dosmaperr.LIBCMT ref: 00528B81

Strings

.Q, xrefs: 00528A63

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .Q
API String ID: 2434981716-3049930668
Opcode ID: d4604b0b6e571cd9d71ff27874684737e20028e9cfda745ca2464129824c2521
Instruction ID: bbd51590d99576c244dd911ebf38b6bc388bb0d8aa600dc96099afbdbed7be25
Opcode Fuzzy Hash: d4604b0b6e571cd9d71ff27874684737e20028e9cfda745ca2464129824c2521
Instruction Fuzzy Hash: A0418C70605065AFDB249FA4EC85A797FA5FF87310F2845ADF895876C2DE318C029790

Function 00552716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0055B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005521D0,?,?,00000034,00000800,?,00000034), ref: 0055B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00552760

Part of subcall function 0055B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0055B3F8

Part of subcall function 0055B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0055B355
Part of subcall function 0055B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00552194,00000034,?,?,00001004,00000000,00000000), ref: 0055B365
Part of subcall function 0055B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00552194,00000034,?,?,00001004,00000000,00000000), ref: 0055B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0055281A

Strings

@, xrefs: 00552832

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4a5bd50673a57653d49ecd91eea445f71a45addba7effd94bb5a6ab129fb60ad
Instruction ID: ad670d302e20d11d122f9ff2c71dcbab102e7f0e51691a468baee6e6253a0940
Opcode Fuzzy Hash: 4a5bd50673a57653d49ecd91eea445f71a45addba7effd94bb5a6ab129fb60ad
Instruction Fuzzy Hash: C3413C72900219BFDB10DBA4CD95AEEBBB8FF49300F10405AFA55B7181DB706E49CBA1

Function 0052172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00521769
_free.LIBCMT ref: 00521834
_free.LIBCMT ref: 0052183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00521760, 00521767, 00521796, 005217CE

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: ce29cbd838ee322d1c55cc057d39282492a36cb593890da2e14aa1fa376f3a5d
Instruction ID: 34bed8f827c99fde71392f278419a59f0a1df15347474c743e19b01f9a304b9b
Opcode Fuzzy Hash: ce29cbd838ee322d1c55cc057d39282492a36cb593890da2e14aa1fa376f3a5d
Instruction Fuzzy Hash: B6319379A00A28AFDB11DB99A885D9FBFBCFFA6310F144166E40497251D6708A40D794

Function 0055C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0055C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0055C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005C1990,011964A0), ref: 0055C395

Strings

0, xrefs: 0055C2DF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e09bf993125fea049a0706debf579507ee3b44efcfede3df11d1efa9ff6cb34e
Instruction ID: 45d32b930bfccaca9fdf10ee222f150f5d75d8d6156cf342c3e611a11620638d
Opcode Fuzzy Hash: e09bf993125fea049a0706debf579507ee3b44efcfede3df11d1efa9ff6cb34e
Instruction Fuzzy Hash: DF418E312043069FDB20DF25D894B6ABFE4BF85321F158A1EFDA597291D730A908CB62

Function 00584416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0058CC08,00000000,?,?,?,?), ref: 005844AA
GetWindowLongW.USER32 ref: 005844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005844D7

Strings

SysTreeView32, xrefs: 0058447C

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 30ae22fd57acff09e1404a3f8a6a927645671c2ac61542d39fa7db7db3594a7c
Instruction ID: 549f8127dc2d868a157377fce8241e639109597a97c8dc086060b9ddd9459e5e
Opcode Fuzzy Hash: 30ae22fd57acff09e1404a3f8a6a927645671c2ac61542d39fa7db7db3594a7c
Instruction Fuzzy Hash: 59317C31210606AFDF20AE78DC45BEA7BA9FB49324F204725FD75A21E1D770AC509B60

Function 00556E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00556EED
VariantCopyInd.OLEAUT32(?,?), ref: 00556F08
VariantClear.OLEAUT32(?), ref: 00556F12

Strings

*jU, xrefs: 00556E8B, 00556E90, 00556EF8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jU
API String ID: 2173805711-1317551218
Opcode ID: 174df69d5a610740252549747dd97a0117b8f0ce579901fd4f3e100caecafec4
Instruction ID: 0b372dc8b13ddb610d7439a1ef58879432e545352e43ae7d554bb816539ef78a
Opcode Fuzzy Hash: 174df69d5a610740252549747dd97a0117b8f0ce579901fd4f3e100caecafec4
Instruction Fuzzy Hash: 3831C771A04289DFCB04AF65E8619BD3B76FF85305B50085EFD024B2B1C7349959DBE4

Function 0057304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0057335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00573077,?,?), ref: 00573378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0057307A
_wcslen.LIBCMT ref: 0057309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00573106

Strings

255.255.255.255, xrefs: 00573095, 0057309A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: a7899dd2439de73536c7d4e952f25e5c4e6b4706991d36dec0f93656b2c48689
Instruction ID: 45467ca2f1274bd04d312d5f511df5c264b68714cd5ff066d602c96070597707
Opcode Fuzzy Hash: a7899dd2439de73536c7d4e952f25e5c4e6b4706991d36dec0f93656b2c48689
Instruction Fuzzy Hash: EF31D5396002059FC710DF29D489EA97FE0FF54328F64C459E9198B3A2D771EE45EB60

Function 00584653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00584705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00584713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0058471A

Strings

msctls_updown32, xrefs: 00584684

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1399bc825b749d850578131b9fbcd129035f9aebcf892f413148de33f401434b
Instruction ID: d2f64de8b2cb16923bf58984bd300227055f23f126550e78f8e4ab8fa271b703
Opcode Fuzzy Hash: 1399bc825b749d850578131b9fbcd129035f9aebcf892f413148de33f401434b
Instruction Fuzzy Hash: F5217FB5600209AFDB10EF68DC85DB63BADFB9A358B000059FE01EB251DB30EC12DB60

Function 005595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0055961D

Strings

#OnAutoItStartRegister, xrefs: 005595F3
#notrayicon, xrefs: 005595B7
#requireadmin, xrefs: 005595D9

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 73335b412012dd8e55b2a710c6f40aa146bb935179feed5f9d3e034d5d292fd2
Instruction ID: bb8a85d611b72516d52c6710791793ecc63c19d1cc863ab633287d736b3821ef
Opcode Fuzzy Hash: 73335b412012dd8e55b2a710c6f40aa146bb935179feed5f9d3e034d5d292fd2
Instruction Fuzzy Hash: 02214332204211A6E731AA24D826FBB7B98BFA4311F44442BFE4997081EB58AD9DC3D5

Function 005837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00583840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00583850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00583876

Strings

Listbox, xrefs: 0058380F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9dc7c8bf3edd88ecd952e07de6a300878a469247972f564fcfa3b568e2ddc78e
Instruction ID: 7908fe957dc89b9e4167ab7f6aa0e108e668f3fe58aa231b4b61fffea9c5ebaa
Opcode Fuzzy Hash: 9dc7c8bf3edd88ecd952e07de6a300878a469247972f564fcfa3b568e2ddc78e
Instruction Fuzzy Hash: D221B072610118BBEF119F54CC45EBB3B6EFF89B54F118124FD00AB190CA71DD528BA0

Function 005649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00564A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00564A5C
SetErrorMode.KERNEL32(00000000,?,?,0058CC08), ref: 00564AD0

Strings

%lu, xrefs: 00564A6F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 63dc03e2afedb300bd65f01f8c22b45d3ceab701c8298365787d596e0a5e4ec0
Instruction ID: d72ae9fe4c6331f4e3185c701582a4c30938d2930c4ad875c541f449b107ae17
Opcode Fuzzy Hash: 63dc03e2afedb300bd65f01f8c22b45d3ceab701c8298365787d596e0a5e4ec0
Instruction Fuzzy Hash: 2A313E75A00209AFDB10DF64C885EAA7BF9FF48308F1480A9E909EB252D775ED45CB61

Function 005841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0058424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00584264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00584271

Strings

msctls_trackbar32, xrefs: 00584226

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4238134bca26684249158117794710e81eb2fdd931a2c297d1735a603a071e74
Instruction ID: 93091f66680e6c0dd835ee2f414e23f83ab57b505ce7f684dc8f719dc8cfcfae
Opcode Fuzzy Hash: 4238134bca26684249158117794710e81eb2fdd931a2c297d1735a603a071e74
Instruction Fuzzy Hash: 3611C131244209BEEF20AE29CC06FAB3BACFF95B54F110524FE55F6090D671D8219B20

Function 00552F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Part of subcall function 00552DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00552DC5
Part of subcall function 00552DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00552DD6
Part of subcall function 00552DA7: GetCurrentThreadId.KERNEL32 ref: 00552DDD
Part of subcall function 00552DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00552DE4

GetFocus.USER32 ref: 00552F78

Part of subcall function 00552DEE: GetParent.USER32(00000000), ref: 00552DF9

GetClassNameW.USER32(?,?,00000100), ref: 00552FC3
EnumChildWindows.USER32(?,0055303B), ref: 00552FEB

Strings

%s%d, xrefs: 00552FFF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 824821f81afdb5c522bd8157098137e61f6c5703ff7fb812375e56da87679a0c
Instruction ID: e1250dbe2dddbdc0a38dd38fe08c224b9def11318620e9d003d868cff72c60fe
Opcode Fuzzy Hash: 824821f81afdb5c522bd8157098137e61f6c5703ff7fb812375e56da87679a0c
Instruction Fuzzy Hash: DE11A5716002196BCF54BF658C99EED3F6ABF94305F044076BD09AB192DE30594D9B70

Function 00585882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005858EE
DrawMenuBar.USER32(?), ref: 005858FD

Strings

0, xrefs: 0058588F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 7764a56a23f2a9812f8c1fecebe52f58ad38f67f040bc7a61fec585fab28808c
Instruction ID: ab574b015806f2ab2f5057b9ed279a0feaaf2a2343e04ccd65e1712923673b2b
Opcode Fuzzy Hash: 7764a56a23f2a9812f8c1fecebe52f58ad38f67f040bc7a61fec585fab28808c
Instruction Fuzzy Hash: 3B010C31500219EEDB61AF11D844BAEBFB8BB45361F148499E849E6161EB308A94EF21

Function 0054D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0054D3BF
FreeLibrary.KERNEL32 ref: 0054D3E5

Strings

X64, xrefs: 0054D2A8
GetSystemWow64DirectoryW, xrefs: 0054D3B9

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7f0ea576a2b450641892ae39a21d4b79cfc2314d7ad31d1fd2b8e79c36088864
Instruction ID: 99a3607d824bb276fc37a38d75f415e6e2224734ea4a52e3dc6f6cb08bc1bdbb
Opcode Fuzzy Hash: 7f0ea576a2b450641892ae39a21d4b79cfc2314d7ad31d1fd2b8e79c36088864
Instruction Fuzzy Hash: 78F0EC365096119BD7716A104C58ADD3F747F11F09BA44D55EC02F5245D7B4CD4487B1

Function 0055007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b8b46d8c7555de6fe7dfa797c4df44976cfc567196fcc0cdb3814f5b1d7b0c
Instruction ID: 1920e79813fbca3741fe8a4967be61043b7a652dfa6324b9ccdd30e30aa08a37
Opcode Fuzzy Hash: c0b8b46d8c7555de6fe7dfa797c4df44976cfc567196fcc0cdb3814f5b1d7b0c
Instruction Fuzzy Hash: E0C19E75A00206EFCB14CF94C8A4EAEBBB5FF48315F219599E805EB291D730ED45DB90

Function 0057342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00573459
CoUninitialize.OLE32 ref: 00573463
VariantInit.OLEAUT32(?), ref: 0057346E
VariantClear.OLEAUT32(?), ref: 0057371B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 1080e3457362ee6e7066fae1289a1206701ba8486fcb497ec489cf05c8a8b5ea
Instruction ID: dae02da31492058f1bbb572c8932ea78b2cf292ec6d52702846cf168ddff5176
Opcode Fuzzy Hash: 1080e3457362ee6e7066fae1289a1206701ba8486fcb497ec489cf05c8a8b5ea
Instruction Fuzzy Hash: 63A18E75204305AFC700DF25D485A2ABBE5FF88724F04885DF98A9B362DB34EE05DB55

Function 00550436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0058FC08,?), ref: 005505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0058FC08,?), ref: 00550608
CLSIDFromProgID.OLE32(?,?,00000000,0058CC40,000000FF,?,00000000,00000800,00000000,?,0058FC08,?), ref: 0055062D
_memcmp.LIBVCRUNTIME ref: 0055064E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 771802ca585791a0997fb488500cbe2696b1be3d65cc36a86cf9b23cd6189399
Instruction ID: 875153ce3094038dad34bb64abeced8f4b5acfe71be9b77f6bbb1ffbb7325dab
Opcode Fuzzy Hash: 771802ca585791a0997fb488500cbe2696b1be3d65cc36a86cf9b23cd6189399
Instruction Fuzzy Hash: E0810071900109EFCB04DF94C994DEEBBB9FF89315F104559E916AB250DB71AE0ACF60

Function 0057A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0057A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0057A6BA

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0057A79C
CloseHandle.KERNEL32(00000000), ref: 0057A7AB

Part of subcall function 0050CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00533303,?), ref: 0050CE8A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9d87690388107634faef52a48576f20a84e59bcf226c78583ea80069a2288154
Instruction ID: b56daccf3dfc874434f98a2c985e734aee6160d762e42d511dcd12a8e970f7fe
Opcode Fuzzy Hash: 9d87690388107634faef52a48576f20a84e59bcf226c78583ea80069a2288154
Instruction Fuzzy Hash: C4515D715083059FD710EF25D886A6FBBE8FF89754F00891EF58997291EB34D904CB92

Function 00531391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005314C0

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd105153581f87c3feed0e269c96f5883ee0193252d569c7fbeb88755748db1d
Instruction ID: a520121f953732c098a55324d7c80fea5dfd94648feff05b2f88fd6fdfdf7ab2
Opcode Fuzzy Hash: bd105153581f87c3feed0e269c96f5883ee0193252d569c7fbeb88755748db1d
Instruction Fuzzy Hash: 63417C35A00912ABEF217BBC9C4A6BE3FA5FF82330F144625F429D22D2FA3048815775

Function 00586278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005862E2
ScreenToClient.USER32(?,?), ref: 00586315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00586382

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ac1c0cd86e1326048f716f6c21e9086121607a2419d91b3b8a8ae1bd1967396e
Instruction ID: 0b53c86be15322f4578c6cc0208d47844c5906e5f9e17852c3653a6257fa53cb
Opcode Fuzzy Hash: ac1c0cd86e1326048f716f6c21e9086121607a2419d91b3b8a8ae1bd1967396e
Instruction Fuzzy Hash: 92512A74A00609EFDF10EF68D880AAE7BB5FF55360F108569F955AB2A0DB30ED41DB50

Function 00571AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00571AFD
WSAGetLastError.WSOCK32 ref: 00571B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00571B8A
WSAGetLastError.WSOCK32 ref: 00571B94

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7a41fed85caecc07102f11de8e1dcde679ede90372c65ca3865fdc7ec87997c4
Instruction ID: d9bcc3985e0c5b7facb24e2c3fff8e310e9942524b043512e8a9ec3c75d01537
Opcode Fuzzy Hash: 7a41fed85caecc07102f11de8e1dcde679ede90372c65ca3865fdc7ec87997c4
Instruction Fuzzy Hash: 3C419E34600600AFE720AF25D886F3A7BE5AB44718F54C48DFA1A9F2D3D776ED418B94

Function 0052B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e37b1b18ba06d383d01a50ee2e621719f90ef468cf17587c8482b7193fb8e2c
Instruction ID: 68f63b80d0606c9dc566ebeebf3df4fac5ed4ca049c98a1e186c7050fef23978
Opcode Fuzzy Hash: 0e37b1b18ba06d383d01a50ee2e621719f90ef468cf17587c8482b7193fb8e2c
Instruction Fuzzy Hash: AC41F675A00614AFEB24AF38DC85BAA7FAAFF85710F10452AF551DB2C2D37199418780

Function 005656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00565783
GetLastError.KERNEL32(?,00000000), ref: 005657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005657FA

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b6407f1b22ed03b4cf45c0917954ada580e13941d70aaddf186173a73ceab782
Instruction ID: 1d93297c174ea20edb8c7c1ffd79501508a499b04c39730ffdab968fd2d5b061
Opcode Fuzzy Hash: b6407f1b22ed03b4cf45c0917954ada580e13941d70aaddf186173a73ceab782
Instruction Fuzzy Hash: 2B415E39200615DFCB10DF15C544A2DBBE2FF89368B188489ED4AAB762DB78FD04CB95

Function 0052D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00516D71,00000000,00000000,005182D9,?,005182D9,?,00000001,00516D71,?,00000001,005182D9,005182D9), ref: 0052D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0052D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0052D9AB
__freea.LIBCMT ref: 0052D9B4

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7d0e7075d475ace9dd7a9c295015dc23b050bdc5dfc87db54f09a3b80125b807
Instruction ID: 4f442d19ccfc309a5fa0f20528235e7c44c2e3beb25fef0df652b9bfdc3ebeee
Opcode Fuzzy Hash: 7d0e7075d475ace9dd7a9c295015dc23b050bdc5dfc87db54f09a3b80125b807
Instruction Fuzzy Hash: F3319F72A0021AABDB24DF64EC85EAE7FB5FF42350F154168FC0496290EB35DD94CBA0

Function 005852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00585352
GetWindowLongW.USER32(?,000000F0), ref: 00585375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00585382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005853A8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 7f2cac309be4840e0f34738fbaab983466a09c44cb8fcbd4c34d8f834e129ded
Instruction ID: f04d945162cc56a362024a71381401ff2972102066a3c5e5418604f9c4116eda
Opcode Fuzzy Hash: 7f2cac309be4840e0f34738fbaab983466a09c44cb8fcbd4c34d8f834e129ded
Instruction Fuzzy Hash: 9831AF34A55E08BFEB21AE14CC06FE83F65BB05391F984901BE11B61E1EBB49E40AB51

Function 0055AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0055ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0055AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0055AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0055ACC6

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1f70528852b32140545a6cf3d2998b2fc49da4e238a3f10387678a2fa354eebe
Instruction ID: 92dbdae140ea5f88f85c4ca9eec973da9d6db041ea8cefd54ce0bd92330bed89
Opcode Fuzzy Hash: 1f70528852b32140545a6cf3d2998b2fc49da4e238a3f10387678a2fa354eebe
Instruction Fuzzy Hash: 43311430A00218AFFF25CB6988297FA7FA5BB89312F04471BFC85961D0D3748D8D9762

Function 00587674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0058769A
GetWindowRect.USER32(?,?), ref: 00587710
PtInRect.USER32(?,?,00588B89), ref: 00587720
MessageBeep.USER32(00000000), ref: 0058778C

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: dd74bcd46a22f3c7b9ad854e2cfd193247b9aa422eca746ae86a5460aa24c582
Instruction ID: ed8150770d706fbb0f8e593bd3a34f3118729fb27b01c58f44b2d5f407ecde33
Opcode Fuzzy Hash: dd74bcd46a22f3c7b9ad854e2cfd193247b9aa422eca746ae86a5460aa24c582
Instruction Fuzzy Hash: 9F419A34A056199FCB01EF58C894EA9BFF4FB5E300F2840A8EC14EB261D330E945DB90

Function 005816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005816EB

Part of subcall function 00553A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553A57
Part of subcall function 00553A3D: GetCurrentThreadId.KERNEL32 ref: 00553A5E
Part of subcall function 00553A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005525B3), ref: 00553A65

GetCaretPos.USER32(?), ref: 005816FF
ClientToScreen.USER32(00000000,?), ref: 0058174C
GetForegroundWindow.USER32 ref: 00581752

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9dfa36b149f99eac205410f3618c63716ec09ff27af1abaf9e80b4bb2e77a9dc
Instruction ID: 8da59a442fae849ad2424951b78087e5fe4a937d02001729b057de3e9d0230b5
Opcode Fuzzy Hash: 9dfa36b149f99eac205410f3618c63716ec09ff27af1abaf9e80b4bb2e77a9dc
Instruction Fuzzy Hash: 5B313275D00149AFCB00EFAAC885CAEBBFDFF48304B50406EE515E7251D6359E45CBA5

Function 00588FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

GetCursorPos.USER32(?), ref: 00589001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00547711,?,?,?,?,?), ref: 00589016
GetCursorPos.USER32(?), ref: 0058905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00547711,?,?,?), ref: 00589094

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e270f83bc65321be755c81f87a224a131b18668a68524464eb0598d90ec33ed6
Instruction ID: cdb92b26bd29e30cf67832eadd7883d36d2622b674a9da960dd413eb2f6273df
Opcode Fuzzy Hash: e270f83bc65321be755c81f87a224a131b18668a68524464eb0598d90ec33ed6
Instruction Fuzzy Hash: 70219F35600418EFCB259F94CC59EFA7FB9FB8A350F184065FD066B2A2C3319950EB60

Function 0055D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0058CB68), ref: 0055D2FB
GetLastError.KERNEL32 ref: 0055D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0055D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0058CB68), ref: 0055D376

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c53669599eebda37427641ac09ad7a06d8f4a1f5413e0050ae64f34b94de3512
Instruction ID: 3bc1c02859acefb2140bc40a0d728527d7ee38f2c1c9bc08a853ffe69248277d
Opcode Fuzzy Hash: c53669599eebda37427641ac09ad7a06d8f4a1f5413e0050ae64f34b94de3512
Instruction Fuzzy Hash: 31219E755052019FC320EF29C89186ABBE4BF55369F104E1EF899D32A1DB30D909CBA3

Function 00551571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00551014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0055102A
Part of subcall function 00551014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00551036
Part of subcall function 00551014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551045
Part of subcall function 00551014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0055104C
Part of subcall function 00551014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005515BE
_memcmp.LIBVCRUNTIME ref: 005515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00551617
HeapFree.KERNEL32(00000000), ref: 0055161E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4751667e5396027b4a1f6d8808bf1c124b57ca1e6c49c9a5d42a45ebdbca0378
Instruction ID: cf5c7790f663272833bb712692ea3b365b3cbcbe963c916c4eddb64b3246102b
Opcode Fuzzy Hash: 4751667e5396027b4a1f6d8808bf1c124b57ca1e6c49c9a5d42a45ebdbca0378
Instruction Fuzzy Hash: FC216B31E40509AFDF10DFA4C959BEEBFB8FF44345F08445AE851AB241E730AA09DB64

Function 00582782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0058280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00582824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00582832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00582840

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 70bad74d9ff84696a4bf00e031a2c2c4cb071fcbc8c8ff0f890637a9f0b5f35c
Instruction ID: 7b639ed9ac99ffc1b02d31adef91c65be96053eb038502a52febd480a6c4adbb
Opcode Fuzzy Hash: 70bad74d9ff84696a4bf00e031a2c2c4cb071fcbc8c8ff0f890637a9f0b5f35c
Instruction Fuzzy Hash: F221B035204215AFDB14AB25C844FAA7F95FF85328F148159F826DB6E2C775EC42CBA0

Function 005578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00558D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0055790A,?,000000FF,?,00558754,00000000,?,0000001C,?,?), ref: 00558D8C
Part of subcall function 00558D7D: lstrcpyW.KERNEL32(00000000,?,?,0055790A,?,000000FF,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00558DB2
Part of subcall function 00558D7D: lstrcmpiW.KERNEL32(00000000,?,0055790A,?,000000FF,?,00558754,00000000,?,0000001C,?,?), ref: 00558DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00557923
lstrcpyW.KERNEL32(00000000,?,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00557949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00557984

Strings

cdecl, xrefs: 0055797B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 36b72b0bd20bb392cd7aa344cc5379f8da22b41a05d1a7a575befc9bf1ef4b0b
Instruction ID: 8a5c382b979ac85179ed41cc92acd27e16c4cc992dd098fe7efd355d63bbb54f
Opcode Fuzzy Hash: 36b72b0bd20bb392cd7aa344cc5379f8da22b41a05d1a7a575befc9bf1ef4b0b
Instruction Fuzzy Hash: A811063A200246ABDB159F35D858E7A7BB9FF99351B00402BFC02C72A4EB319805D7A1

Function 00587CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00587D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00587D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00587D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0056B7AD,00000000), ref: 00587D6B

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: a9e710797ce6d2cba1ec8163c0f059f5a0ac46983f0a820241e6e338743219f5
Instruction ID: 8a58e8043f90fd0bf18b8c364ce73121112f03549325087cab81f142ef28472e
Opcode Fuzzy Hash: a9e710797ce6d2cba1ec8163c0f059f5a0ac46983f0a820241e6e338743219f5
Instruction Fuzzy Hash: D4115E32509A19AFCB10AF68CC04E663FA5BF4A3A0B254764FC35E72E1E730D955DB90

Function 00585660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005856BB
_wcslen.LIBCMT ref: 005856CD
_wcslen.LIBCMT ref: 005856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00585816

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 565b806c0a92a57080eb77f69228ffe110eda130816150efc5b835a3a285e59c
Instruction ID: 409d263f1f792e15e32f27201b13fff823daa8894e1bb8c2759c6f3085fc16cf
Opcode Fuzzy Hash: 565b806c0a92a57080eb77f69228ffe110eda130816150efc5b835a3a285e59c
Instruction Fuzzy Hash: AF11B17560060996DF20AF668C85AEE7FACFF51760B104426FD15F6091FB70CA84CB60

Function 00521D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fbad5e4bd4512f85543cde5a2df04f2361dde95b1995c988739d747e269c59
Instruction ID: 86252864f9eac8ff1ae5ca05217baa785284306ca2e3c906dfd8857c5911373c
Opcode Fuzzy Hash: 02fbad5e4bd4512f85543cde5a2df04f2361dde95b1995c988739d747e269c59
Instruction Fuzzy Hash: 70017CB2205A2ABEF62116787CC4F276E1CFFA23B8B301725F521611D2DA608C4191B4

Function 00551A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00551A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00551A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00551A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00551A8A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d2f8c23ed5de8b6d03dffcaf4ce04e3ecacc76f0206dda6751e52879bf79626e
Instruction ID: 3b0732d5d7c0a47467e987936df06a26e4473e8e7099375d9021cabd1d5dd60d
Opcode Fuzzy Hash: d2f8c23ed5de8b6d03dffcaf4ce04e3ecacc76f0206dda6751e52879bf79626e
Instruction Fuzzy Hash: BC112A3A901219FFEB119BA5C985FADBB78FB04750F200092EA01B7290D6716E50DB94

Function 0055E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0055E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0055E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0055E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0055E24D

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 36de70c33c4bcdba2362b1aae9f0dab210e75142477f1a486f99dea14863bc33
Instruction ID: b255ccf78be8e2b0e0a0eb2f234bf5f83a87a05d6ab6ffcbe5dcf79a76d4b0bc
Opcode Fuzzy Hash: 36de70c33c4bcdba2362b1aae9f0dab210e75142477f1a486f99dea14863bc33
Instruction Fuzzy Hash: 1C114876904644BFC7059FA8AC0AE9E3FACEB52715F004616FC25E3281C6B08A0897B0

Function 0051D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0051CFF9,00000000,00000004,00000000), ref: 0051D218
GetLastError.KERNEL32 ref: 0051D224
__dosmaperr.LIBCMT ref: 0051D22B
ResumeThread.KERNEL32(00000000), ref: 0051D249

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 53ee5aef784e550aa5609501e1dd38e347350dd3d5e8278303e9ff4872e36217
Instruction ID: b80e64937a85029c8d8d254d9410430fb4cb275db9a5dd28058ddd7cd89e584b
Opcode Fuzzy Hash: 53ee5aef784e550aa5609501e1dd38e347350dd3d5e8278303e9ff4872e36217
Instruction Fuzzy Hash: AB01C03A905205BBEB115BA5DC09AEA7E79FF81330F200219F935921D0DB718985D7B0

Function 00589EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

GetClientRect.USER32(?,?), ref: 00589F31
GetCursorPos.USER32(?), ref: 00589F3B
ScreenToClient.USER32(?,?), ref: 00589F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00589F7A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7e4c5139cf238f5a6bb3adc23dcb61fd4d866d459445473c6dc37db48b3ade03
Instruction ID: 5c46b7b693792615371471748b51d4ea9603c300062f10b48580c8718ad0bc6e
Opcode Fuzzy Hash: 7e4c5139cf238f5a6bb3adc23dcb61fd4d866d459445473c6dc37db48b3ade03
Instruction Fuzzy Hash: E111333290011AABDB06EFA8D8899FE7BB9FB45311F140455FE12F3141D330BA85DBA1

Function 004F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F604C
GetStockObject.GDI32(00000011), ref: 004F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 004F606A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 464bb053a5efd1d763db4d50a57a7e2bf0fdfdd0f5e19a476d86e57d30c3072e
Instruction ID: ba7173b2559387c009cfa80b31ddae16b3455ecca1d9bb5d6dfee26faaecdcf4
Opcode Fuzzy Hash: 464bb053a5efd1d763db4d50a57a7e2bf0fdfdd0f5e19a476d86e57d30c3072e
Instruction Fuzzy Hash: 8F118B7250150CBFEF128FA48C44EFBBF69EF183A4F110216FA0592110DB369C60EBA4

Function 00513B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00513B56

Part of subcall function 00513AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00513AD2
Part of subcall function 00513AA3: ___AdjustPointer.LIBCMT ref: 00513AED

_UnwindNestedFrames.LIBCMT ref: 00513B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00513B7C
CallCatchBlock.LIBVCRUNTIME ref: 00513BA4

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 16ddaf37c539a2b3b3ba1aaa0df550d57ed6279eb53d3a2bea49877ac2960fff
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3101E972100149BBEF125E95CC4AEEB7F69FF98754F044014FE5856121D732E9A1DBA0

Function 00523073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004F13C6,00000000,00000000,?,0052301A,004F13C6,00000000,00000000,00000000,?,0052328B,00000006,FlsSetValue), ref: 005230A5
GetLastError.KERNEL32(?,0052301A,004F13C6,00000000,00000000,00000000,?,0052328B,00000006,FlsSetValue,00592290,FlsSetValue,00000000,00000364,?,00522E46), ref: 005230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0052301A,004F13C6,00000000,00000000,00000000,?,0052328B,00000006,FlsSetValue,00592290,FlsSetValue,00000000), ref: 005230BF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 030c2579494af36d33bd4295d8237ef610dc94165ee3770afcc6f1836cf471dd
Instruction ID: 6e1676d429bc5ad7f3664466e100d5f9e0231e1d41d90491389ae9486647909c
Opcode Fuzzy Hash: 030c2579494af36d33bd4295d8237ef610dc94165ee3770afcc6f1836cf471dd
Instruction Fuzzy Hash: E101D436701636ABCB214A78BC88A577F98BF16B61B110A20F906E71D0DB35D909C7F0

Function 00557464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0055747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00557497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005574CA

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 8f115c8d4a575dc6ca2501372569e8dcabcfabeacd9c1a6b0609925febc672c5
Instruction ID: f9222ff8767d01814c2378dd48042bcabcb52a6d75e251d0187c99b08f24af57
Opcode Fuzzy Hash: 8f115c8d4a575dc6ca2501372569e8dcabcfabeacd9c1a6b0609925febc672c5
Instruction Fuzzy Hash: 5E11A1B1205318DBEB208F24EC18F927FFCFB04B01F10856AAE26D6151D770E948EB61

Function 0055B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B126

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6a075968ce240a122d5fc5ed089eb69a13b8be8484516a75b304ddbcb4a43855
Instruction ID: 97a90ca8e51fa1c557572ce3a30dfd22298dbdc7a121f4c724b4710edcad2abb
Opcode Fuzzy Hash: 6a075968ce240a122d5fc5ed089eb69a13b8be8484516a75b304ddbcb4a43855
Instruction Fuzzy Hash: CB115730C01928EBEF00AFE5E9AC6EEBF78BB59312F104486DD41B2181CB305658DB61

Function 00587E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00587E33
ScreenToClient.USER32(?,?), ref: 00587E4B
ScreenToClient.USER32(?,?), ref: 00587E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00587E8A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 982af78fc42cb7d88daf3d6144843f36432d3d56bfb2edfc3521ca32ebe38dd3
Instruction ID: 10e66a25d5aee613f61ad623be9c0439fd6c18f912423508970328b3bb53bccd
Opcode Fuzzy Hash: 982af78fc42cb7d88daf3d6144843f36432d3d56bfb2edfc3521ca32ebe38dd3
Instruction Fuzzy Hash: 9B1146B9D00209AFDB41DF99C444AEEBBF9FF18310F505066E925E2210D735AA54DF90

Function 00552DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00552DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00552DD6
GetCurrentThreadId.KERNEL32 ref: 00552DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00552DE4

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f415dc13f854c30beea0dc3e2bcafd8bd043f4b8a987bfcaae2368db09ba1e94
Instruction ID: bb2f3594ca543fd568c9aaf9c3765a90f123e17cc3851c817de0ff343daafe35
Opcode Fuzzy Hash: f415dc13f854c30beea0dc3e2bcafd8bd043f4b8a987bfcaae2368db09ba1e94
Instruction Fuzzy Hash: A1E06DB11012247AD7201B67AC0EEEB3E6CFB63BA2F001126B905E1080AAB48849D7B0

Function 00588863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00509639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00509693
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096A2
Part of subcall function 00509639: BeginPath.GDI32(?), ref: 005096B9
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00588887
LineTo.GDI32(?,?,?), ref: 00588894
EndPath.GDI32(?), ref: 005888A4
StrokePath.GDI32(?), ref: 005888B2

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e303fbef6aaf7d770ff0233d514f540544c5277472bba31a65b04c9ec888fe96
Instruction ID: edcaf5c140a7c4131524c9fb8dc50f87b506c93b687aa6ef75714a195330c6b7
Opcode Fuzzy Hash: e303fbef6aaf7d770ff0233d514f540544c5277472bba31a65b04c9ec888fe96
Instruction Fuzzy Hash: DBF03436041659FAEB126F94AC0EFDE3E69AF26310F448000FE11750E2C7B55529EFA9

Function 005098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005098CC
SetTextColor.GDI32(?,?), ref: 005098D6
SetBkMode.GDI32(?,00000001), ref: 005098E9
GetStockObject.GDI32(00000005), ref: 005098F1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 66f914b8d94c828e51b966b4ea0b78171685ea643f48e8285c68fc65e7dd49ab
Instruction ID: 0a714028f5ff17a57305e6943987a5c47ecdf35aa8186a0584eb415aa48972fe
Opcode Fuzzy Hash: 66f914b8d94c828e51b966b4ea0b78171685ea643f48e8285c68fc65e7dd49ab
Instruction Fuzzy Hash: 5CE06D31244284AEDF215B74BC0DBE83F20BB26336F04921AFAFA680E1C3714644EB20

Function 0055162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00551634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005511D9), ref: 0055163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005511D9), ref: 00551648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005511D9), ref: 0055164F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b4b15d040d1e9417a1795a03df8b244a24de44f6323f0693ad8a39c9eac0cd26
Instruction ID: 4303b090973d11d1fe1330b632ba9151e98da366a318cee3e8c55ce3adc2bfde
Opcode Fuzzy Hash: b4b15d040d1e9417a1795a03df8b244a24de44f6323f0693ad8a39c9eac0cd26
Instruction Fuzzy Hash: 29E08631601211DBD7201FB0AD0DB4A3F7CBF657D2F154809FA45E9080D6344449E774

Function 0054D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0054D858
GetDC.USER32(00000000), ref: 0054D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0054D882
ReleaseDC.USER32(?), ref: 0054D8A3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a3d1d9961c0edb40999cb608d7bd2c4722cac09bd16d62cbac06b7c96a312769
Instruction ID: 4d5d59a66fb7f8211522a2a887758280cc392e400953d53bedeaf52237dad93b
Opcode Fuzzy Hash: a3d1d9961c0edb40999cb608d7bd2c4722cac09bd16d62cbac06b7c96a312769
Instruction Fuzzy Hash: E4E0E5B4800205DFCB419FA5990C66DBFB1BB18310B149419E906B7250D7384905AF60

Function 0054D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0054D86C
GetDC.USER32(00000000), ref: 0054D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0054D882
ReleaseDC.USER32(?), ref: 0054D8A3

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ec6ccd6eac97d48a2bda210a088aeb9b6df6730a47e5e1f1c13ee72e570fd79
Instruction ID: b5e66a41b2ee93197afd8f207a31d8034d36eb17172992ccb3aeb1ae515949b2
Opcode Fuzzy Hash: 3ec6ccd6eac97d48a2bda210a088aeb9b6df6730a47e5e1f1c13ee72e570fd79
Instruction Fuzzy Hash: A8E01A74800204DFCB409FB5D80C66DBFB1BB18310B149419E90AF7250D7385905AF60

Function 00564D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00564ED4

Strings

LPT, xrefs: 00564DFB
*, xrefs: 00564E10

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6423cbd094b8b47d38e43647f45c4e09134c105b278c8891771177eab90b77eb
Instruction ID: 7fa0f47a489722821ba9e87727f05f5f376dd7fd994561ad769c80fd18d89b1c
Opcode Fuzzy Hash: 6423cbd094b8b47d38e43647f45c4e09134c105b278c8891771177eab90b77eb
Instruction Fuzzy Hash: 5E915E75A00244AFCB14DF58C484EAABBF5BF44308F198099E80A9F7A2D775ED85CF91

Function 0051E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0051E30D

Strings

pow, xrefs: 0051E2E5, 0051E302

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1e8804b509481cd56bc08912bce7dbdfc5ee5d74be8af853a1e63f07fb580f1b
Instruction ID: 0e991a8d7c7c84a66d19721d9958aeb95e5567cf8b8fa678e7dadc51688aef70
Opcode Fuzzy Hash: 1e8804b509481cd56bc08912bce7dbdfc5ee5d74be8af853a1e63f07fb580f1b
Instruction Fuzzy Hash: 7B51CE61A0C11A96EB11B724DD033FA3F98FF55740F304D99E8E5432E8EB348CC59A46

Function 00577771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0054569E,00000000,?,0058CC08,?,00000000,00000000), ref: 005778DD

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

CharUpperBuffW.USER32(0054569E,00000000,?,0058CC08,00000000,?,00000000,00000000), ref: 0057783B

Strings

<s[, xrefs: 005777C8

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s[
API String ID: 3544283678-714827695
Opcode ID: 0f504cbc19e2ce5656a328182b8f7767eefa32cdf28427c5ac40b805240ba873
Instruction ID: 9f0251bf921022dea4a21fdba3edd65ec56e3718dcdcc3f45859839f77a520ae
Opcode Fuzzy Hash: 0f504cbc19e2ce5656a328182b8f7767eefa32cdf28427c5ac40b805240ba873
Instruction Fuzzy Hash: 1061707291411DAACF04EBA5EC91DFDBBB4FF18304B44452AE606B3091EF785A05DBA4

Function 0050E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0050E1B1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 8f66cff285205b527cd76519077a6265cbb03d3b79c227a9e507aab53c35159c
Instruction ID: 711c4e808e03efe667dfffc0d55b3a143e6621244018284ac71e4e29787695c4
Opcode Fuzzy Hash: 8f66cff285205b527cd76519077a6265cbb03d3b79c227a9e507aab53c35159c
Instruction Fuzzy Hash: 0E512379900286DFDB15DF28C482AFE7FA4FF65328F644459EC919B2D0D634AD42CBA0

Function 0050F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0050F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0050F2BB

Strings

@, xrefs: 0050F2AF

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 697e81507c29af60b4626b8abd5f1b98e8cb3a2b530420242bd6768021d40a21
Instruction ID: 648b274a939b89aadb0c13c6aed8ad8c9f34b816608435543f2b0812c7e3ef05
Opcode Fuzzy Hash: 697e81507c29af60b4626b8abd5f1b98e8cb3a2b530420242bd6768021d40a21
Instruction Fuzzy Hash: B15147714087499BD320AF15D886BABBBF8FF95304F81484DF29941195EB348929CB6B

Function 00575745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005757E0
_wcslen.LIBCMT ref: 005757EC

Strings

CALLARGARRAY, xrefs: 005757E6, 005757EB

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: fa4fea03a76b6baf1e5ffd33fa7b0e386da42a0fac7fdf3f7db0e0c6bd2afa92
Instruction ID: a0a67ea0ecddf1c859ad374ab2a24726f93769c748d52ac58ec63a0c46f95071
Opcode Fuzzy Hash: fa4fea03a76b6baf1e5ffd33fa7b0e386da42a0fac7fdf3f7db0e0c6bd2afa92
Instruction Fuzzy Hash: 6641C031A001099FCB04DFA9D8869BEBFF4FF98354F20802EE509A7291E7709D81CB91

Function 0056D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0056D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0056D13A

Strings

|, xrefs: 0056D10B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 13bd30607841701176259069629061d6513f2bea288bba09a9b4877d488ff646
Instruction ID: aa0213e7243e60e67a8c22eb6a033119162524c9e10fc05a15d73f5d162a161d
Opcode Fuzzy Hash: 13bd30607841701176259069629061d6513f2bea288bba09a9b4877d488ff646
Instruction Fuzzy Hash: 3D316F71D00209ABCF11EFA5CC85EEEBFB9FF05344F00001AF915A6261D775AA56CB64

Function 0058356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00583621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0058365C

Strings

static, xrefs: 005835BC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 832f5d3f6a263f867b31a59cdf04fc9617df97a980e35679c8b55c4e93b8e6d6
Instruction ID: 322bf49bc5b3b98875fd955e5e16b14c82a8d20b556071cb1b3dd2d26583b6e4
Opcode Fuzzy Hash: 832f5d3f6a263f867b31a59cdf04fc9617df97a980e35679c8b55c4e93b8e6d6
Instruction Fuzzy Hash: AD318171110604AEDB10EF29DC80EBB7BA9FF98724F509619FD55A7180DA30AD91D760

Function 00584537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0058461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00584634

Strings

', xrefs: 0058458E

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 40c365d231d7ffe8f64b4ca220dbf4cfba623d3e06a6fd4280c891f50be02109
Instruction ID: 1c3a5562475d075b35527e6708d1f1285873062e77e34b2255341ee0519e75a9
Opcode Fuzzy Hash: 40c365d231d7ffe8f64b4ca220dbf4cfba623d3e06a6fd4280c891f50be02109
Instruction Fuzzy Hash: 22311574A0020A9FDB14DFA9C980AEA7BB5FF09300F10406AED05AB341E770A941DF90

Function 005831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0058327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00583287

Strings

Combobox, xrefs: 00583249

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9b832bb5b7d3a042e001fe2975f9af31891ff407cae39de44e73dfb7f601bf2d
Instruction ID: 54051c6fd7e76cc348bfa9fef243c807de326939a45a63d140d15c595bcee0db
Opcode Fuzzy Hash: 9b832bb5b7d3a042e001fe2975f9af31891ff407cae39de44e73dfb7f601bf2d
Instruction Fuzzy Hash: F811E2753002087FEF21AE54DC84EBB3F6AFB98764F100128FD1AAB290D6719D518760

Function 00583710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F604C
Part of subcall function 004F600E: GetStockObject.GDI32(00000011), ref: 004F6060
Part of subcall function 004F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F606A

GetWindowRect.USER32(00000000,?), ref: 0058377A
GetSysColor.USER32(00000012), ref: 00583794

Strings

static, xrefs: 00583757

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3acca13b4391a1d5053de9e38a4c39c7b317db67b5cbd2efee12b918e37eef68
Instruction ID: 10dcd9ecfb3686e1864064276a0418964ed68f6f628f33e5fb5f61262ecb683f
Opcode Fuzzy Hash: 3acca13b4391a1d5053de9e38a4c39c7b317db67b5cbd2efee12b918e37eef68
Instruction Fuzzy Hash: 8E1129B2610209AFDF00EFA8CC45EFA7BB8FB08714F004915FD55E2251E775E9559B60

Function 0056CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0056CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0056CDA6

Strings

<local>, xrefs: 0056CD66

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 71e3f38ac8c81380030d9a7159c8aa37f969045005180cc342a2c1c4f849ab7c
Instruction ID: 8f5a37549588f3320f0bb70bfd2992b0cb6ef34f39ea0d9cff4229fc0edeab09
Opcode Fuzzy Hash: 71e3f38ac8c81380030d9a7159c8aa37f969045005180cc342a2c1c4f849ab7c
Instruction Fuzzy Hash: 8011A071205671BAD7285A668C49EF7BEBCFB227A4F00462AB58993180D6749844D6F0

Function 00583429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005834BA

Strings

edit, xrefs: 0058348F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5b13165f321ca0e47aed512b2819edc3e5d64a5251fe6d9a7a9ed5674e694166
Instruction ID: f59328153d4eb4174d74847268e685c14d94d997500e4c4c1635296598bfc4a3
Opcode Fuzzy Hash: 5b13165f321ca0e47aed512b2819edc3e5d64a5251fe6d9a7a9ed5674e694166
Instruction Fuzzy Hash: 61119D71100108AEEF11AE64DC48ABA3F6AFF15B78F504724FD61A71E0C771DC559760

Function 00556C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00556CB6
_wcslen.LIBCMT ref: 00556CC2

Strings

STOP, xrefs: 00556CBC, 00556CC1

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 154659541e583729033f9c3c1d3df295d184dc376f277bfb93d1196eee62450a
Instruction ID: e48f0b0ac649dbdae20fc981c5363346e228f11d037421913ccf36af14568f6e
Opcode Fuzzy Hash: 154659541e583729033f9c3c1d3df295d184dc376f277bfb93d1196eee62450a
Instruction Fuzzy Hash: 6D0108326005678ACB119FBDCCA19BF7BB4FA60715780092AEC5297190FB31DC08C650

Function 00551CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00551D4C

Strings

ListBox, xrefs: 00551D16
ComboBox, xrefs: 00551CEB

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 463886c6f1cc0ad7bc58d93059315a012e755adaf0b2e1724b095fb8c7ebc7e6
Instruction ID: f84c5e5b94cb01e71af3bc3a18ceca0b593c2ec688fac6b5af375d368b24260f
Opcode Fuzzy Hash: 463886c6f1cc0ad7bc58d93059315a012e755adaf0b2e1724b095fb8c7ebc7e6
Instruction Fuzzy Hash: D001B571611618AB8B08EFA5CC65AFE7F78FF56390B04091BEC22672C1EA355D0C8664

Function 00551BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00551C46

Strings

ListBox, xrefs: 00551C10
ComboBox, xrefs: 00551BE5

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c91c6582c1163672c8bfb5bb9975baec53fc164358632a93020618dd27a86062
Instruction ID: a2c9594f8364310281dfd9883073b44dd90a3d0c7814019f1146e167c35b14fe
Opcode Fuzzy Hash: c91c6582c1163672c8bfb5bb9975baec53fc164358632a93020618dd27a86062
Instruction Fuzzy Hash: 9F01A77569110866CB08EB91C965BFF7FA8BF51381F14041BED0677281EA259E0CC6B9

Function 00551C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00551CC8

Strings

ListBox, xrefs: 00551C94
ComboBox, xrefs: 00551C69

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 34542732ffdf0e5e710933282622ba050ba02fd787766a84e7945b932a4112e4
Instruction ID: e177e3da5119a85eb6a391187262b82e645a7bc31d6357b682d8d8ffcf818498
Opcode Fuzzy Hash: 34542732ffdf0e5e710933282622ba050ba02fd787766a84e7945b932a4112e4
Instruction Fuzzy Hash: 9401DB7164015867CB04EB95CA22BFE7FA8BF113C1F14001BBD0677281EA259F0CC675

Function 0050A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0050A529

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Strings

,%\, xrefs: 0050A509
3yT, xrefs: 0050A545, 0050A54D, 0050A552

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%\$3yT
API String ID: 2551934079-2759134763
Opcode ID: d235c8c9a18791860a0c29b46845215c7c2dfa1bfa602a755881ecd1e665f45c
Instruction ID: 3c4369859dc386994e60d4337c3cc3d83e101e5f4859eaefecfdc7d99b9ad981
Opcode Fuzzy Hash: d235c8c9a18791860a0c29b46845215c7c2dfa1bfa602a755881ecd1e665f45c
Instruction Fuzzy Hash: 9B01F2326007159BCE00F7A9DC1BFAE3F54BB85710F400429F6125B1C2EEA4AD858A9B

Function 00551D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00551DD3

Strings

ListBox, xrefs: 00551DA0
ComboBox, xrefs: 00551D75

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0fea5e6b85761404ab865ea8ee160e161d13fbb676c06835cef5352a30765138
Instruction ID: 1b6e1145282c1b50301c241230738bf4c135f35b0ddb428a64b33612c4185d51
Opcode Fuzzy Hash: 0fea5e6b85761404ab865ea8ee160e161d13fbb676c06835cef5352a30765138
Instruction Fuzzy Hash: B5F0F471A5061866CB08FBA5CC62BFE7F78BF01384F04091BFD22A72C1EA745D0C8268

Function 00588172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005C3018,005C305C), ref: 005881BF
CloseHandle.KERNEL32 ref: 005881D1

Strings

\0\, xrefs: 0058818A

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0\
API String ID: 3712363035-662447594
Opcode ID: 62cb9a56d12edaa5c69d8e7bdd6dadc38c0d685879be1670a06f8f33e6798f24
Instruction ID: 5dc3bd197dc357535608f8480139db37f596067fd49df05888e219a6c0846de8
Opcode Fuzzy Hash: 62cb9a56d12edaa5c69d8e7bdd6dadc38c0d685879be1670a06f8f33e6798f24
Instruction Fuzzy Hash: E8F030B2640708BEE3106761AC4DFB77E5CFB14750F008425BA08F51A1D6758E54A3B8

Function 0057747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00577493
_wcslen.LIBCMT ref: 005774B9

Strings

3, 3, 16, 1, xrefs: 00577483

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 3590c55970e2ebb726816eb2f34fd154e08e70942f7fcc4e4930f997049638de
Instruction ID: efa70a690d78d01186a6d50e2a27398acd78656056fe8f6cfafb9410f6e337aa
Opcode Fuzzy Hash: 3590c55970e2ebb726816eb2f34fd154e08e70942f7fcc4e4930f997049638de
Instruction Fuzzy Hash: 4FE02B0220432510A731127ABCC99BF5ECAFFCD750714282BF989C2276EA948DD1A3A0

Function 00550B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00550B23

Strings

AutoIt, xrefs: 00550B17
Error allocating memory., xrefs: 00550B1C

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f6273dd3f9b4f6f00d77c3df1cfd2f50c9ab6b29049c5486eba0fd600d1e4907
Instruction ID: 6ab239edba5e3e0344ac29727b343432d2c9ad2b97a804f4e76d45f989d10075
Opcode Fuzzy Hash: f6273dd3f9b4f6f00d77c3df1cfd2f50c9ab6b29049c5486eba0fd600d1e4907
Instruction Fuzzy Hash: 98E0923224430926D22437547C07F8D7E88AB05B25F10046AFB58A94C38AE1249047A9

Function 00510D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0050F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00510D71,?,?,?,004F100A), ref: 0050F7CE

IsDebuggerPresent.KERNEL32(?,?,?,004F100A), ref: 00510D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004F100A), ref: 00510D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00510D7F

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 6c6d4bc2f11edd6899f1a6e6c6a42539766a6049ca7e433c9fd6fe347594b770
Instruction ID: 2461302750dc65607c6bc088f8c8eef0b998045223e2a437e6d44d8a2f196417
Opcode Fuzzy Hash: 6c6d4bc2f11edd6899f1a6e6c6a42539766a6049ca7e433c9fd6fe347594b770
Instruction Fuzzy Hash: 64E065742007418FE770AF78E4087467FE4BB14744F00492DE882D6691DBF4E4889BA1

Function 0050E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0050E3D5

Strings

0%\, xrefs: 0050E3B5
8%\, xrefs: 0050E3CA

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%\$8%\
API String ID: 1385522511-277581082
Opcode ID: 790d7454e5f03e98299a7e1b55bac24f8f853a2543fd60f550021f64ca8eab08
Instruction ID: ba2416d64fe91b41494c16700d1218277272ab8296731676201542b59ca09e84
Opcode Fuzzy Hash: 790d7454e5f03e98299a7e1b55bac24f8f853a2543fd60f550021f64ca8eab08
Instruction Fuzzy Hash: 8AE02631404D20CFC6049718F85AECE3F91BB45320F203D68E1128F1D1DF7478859644

Function 00563017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0056302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00563044

Strings

aut, xrefs: 00563038

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 123d521eab734f5ca2a653b9bed6057fac80e933b0b74117f3acdbb3a4b2aff1
Instruction ID: 46b05349ca85abcd6b4745d68cfd3a039e29eb5952be1453854022fe51de76ac
Opcode Fuzzy Hash: 123d521eab734f5ca2a653b9bed6057fac80e933b0b74117f3acdbb3a4b2aff1
Instruction Fuzzy Hash: 5AD05B7550031467DA2097949C0DFD73E6CD704750F0001917A96E20D1DAB49544CBE0

Function 0054D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0054D220

Strings

X64, xrefs: 0054D2A8
%.3d, xrefs: 0054D22B

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 730e5f74c40af581f9424d94f386303e862d4d243933a2a4e6d8d61f288c26de
Instruction ID: 0fa13e84f8bce61c00e3efa483571e1f1d0a02699c63d643e296b4607dd39546
Opcode Fuzzy Hash: 730e5f74c40af581f9424d94f386303e862d4d243933a2a4e6d8d61f288c26de
Instruction Fuzzy Hash: 40D0627980D119EACB9096D0DC499FDBFBCBB58345F548C52FD07A1080E674D5486B71

Function 00582356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0058236C
PostMessageW.USER32(00000000), ref: 00582373

Part of subcall function 0055E97B: Sleep.KERNEL32 ref: 0055E9F3

Strings

Shell_TrayWnd, xrefs: 00582365

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 10f3bd5274c64cde33aff009345d24851fec9187ef38dce4446ff450929ac731
Instruction ID: abca23787ce40f887fa50fb85e0a9c40063b110be26e3d34a90202d0cdfa2fcd
Opcode Fuzzy Hash: 10f3bd5274c64cde33aff009345d24851fec9187ef38dce4446ff450929ac731
Instruction Fuzzy Hash: 32D0A9323803007AE668A3309C0FFC66E14AB11B00F0009127A41AA0D0C8B0B8098B24

Function 00582322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0058232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0058233F

Part of subcall function 0055E97B: Sleep.KERNEL32 ref: 0055E9F3

Strings

Shell_TrayWnd, xrefs: 00582325

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2276732abcba263d1885a26e6bf03a0bbf2627eea1ab245009b15cc5a56c511d
Instruction ID: 85773e182ff09d8d74fc8d2eb6975a92b27b576463555353a0b0caeabcd8aaa7
Opcode Fuzzy Hash: 2276732abcba263d1885a26e6bf03a0bbf2627eea1ab245009b15cc5a56c511d
Instruction Fuzzy Hash: B6D0A932380300B6E668A3309C1FFC66E14AB10B00F0009127A45AA0D0C8B0A8098B20

Function 0052BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0052BE93
GetLastError.KERNEL32 ref: 0052BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0052BEFC

Memory Dump Source

Source File: 00000000.00000002.1781796169.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1781768561.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781917064.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1781990879.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1782017292.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1f589fca80a591922a68503129ceba69ff45ffa646bf98c68412a66fca3fd964
Instruction ID: 132c51def7c12d3c3a3a293ab15863b47de89e80dc3c15c44aeff7d30ac65fb9
Opcode Fuzzy Hash: 1f589fca80a591922a68503129ceba69ff45ffa646bf98c68412a66fca3fd964
Instruction Fuzzy Hash: B941E935604226AFEF218F64ED88ABA7FA9FF43320F154169F969571E1DB308D01DB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1918894580.00000241F7E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1932410810.00000241FEE53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1932410810.00000241FEE53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1970167667.00000241F97EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940704342.00000241F97EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945599070.00000241F97EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1932410810.00000241FEE53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1932410810.00000241FEE53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1802772529.00000241FA97B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933085590.00000241FA956000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3572185732.0000025471F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1802772529.00000241FA97B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933085590.00000241FA956000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3572185732.0000025471F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1802772529.00000241FA97B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933085590.00000241FA956000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3572185732.0000025471F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3572521463.0000019B5EE0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3572521463.0000019B5EE0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3572521463.0000019B5EE0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1970167667.00000241F97EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944904281.00000241FF690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929557233.00000241FF690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957665995.00001E2080F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1944904281.00000241FF690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929557233.00000241FF690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937512669.00000241FF690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49853 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_64dc646c-e7c5-4da9-9a61-28d354a0f1a5.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_64dc646c-e7c5-4da9-9a61-28d354a0f1a5.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MEDVUVLA3HSB55R6S8GH.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VO008HJL8Q25CSV8LH4O.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre