Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542975
MD5:	085a2d34bb54fb4307229313b154231a
SHA1:	92f875b6f66a2391ce5cd4a7ec771811b97b4349
SHA256:	3f8ba298be141ece1ab099ad1383eb19f597be3e7823ff603b8cad470258f38f
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 085A2D34BB54FB4307229313B154231A)

taskkill.exe (PID: 7288 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7384 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7448 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7512 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7576 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7640 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7672 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7688 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7924 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9e3fb81-0d0b-4a1e-b8d8-29e002a660ae} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cc8270710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7428 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1320 -parentBuildID 20230927232528 -prefsHandle 2692 -prefMapHandle 1060 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fde0a241-5872-4d7e-a943-4e71d11b0b1b} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cd504ae10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3720 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1540 -prefMapHandle 5028 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d56f2c-6efd-41a2-b64b-1bd529b5955a} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cdbe8e710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1723619393.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 7272	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00CEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00CEEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CEED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00CEEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CDAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00CDAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D09576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D09576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1663741570.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ebe0d05e-3
Source: file.exe, 00000000.00000000.1663741570.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_eca9a327-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a5d63ffa-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0bc53836-9

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F6056CB577 NtQuerySystemInformation,		16_2_000001F6056CB577
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F6056E4C72 NtQuerySystemInformation,		16_2_000001F6056E4C72

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CDD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00CDD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00CD1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CDE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00CDE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE2046	0_2_00CE2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C78060	0_2_00C78060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD8298	0_2_00CD8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAE4FF	0_2_00CAE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA676B	0_2_00CA676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D04873	0_2_00D04873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7CAF0	0_2_00C7CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9CAA0	0_2_00C9CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8CC39	0_2_00C8CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA6DD9	0_2_00CA6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C791C0	0_2_00C791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8B119	0_2_00C8B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C91394	0_2_00C91394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C91706	0_2_00C91706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9781B	0_2_00C9781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C919B0	0_2_00C919B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8997D	0_2_00C8997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C77920	0_2_00C77920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C97A4A	0_2_00C97A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C97CA7	0_2_00C97CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C91C77	0_2_00C91C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA9EEE	0_2_00CA9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFBE44	0_2_00CFBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C91F32	0_2_00C91F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F6056CB577	16_2_000001F6056CB577
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F6056E4C72	16_2_000001F6056E4C72
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F6056E539C	16_2_000001F6056E539C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F6056E4CB2	16_2_000001F6056E4CB2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C90A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C8F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE37B5 GetLastError,FormatMessageW,

0_2_00CE37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD10BF AdjustTokenPrivileges,CloseHandle,		0_2_00CD10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00CD16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00CE51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CDD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00CDD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00CE648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C742A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1924366879.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922717959.0000021CD9260000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890459284.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911754472.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929531633.0000021CD9254000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1924366879.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890459284.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911754472.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1924366879.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890459284.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911754472.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1924366879.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890459284.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911754472.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1924366879.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890459284.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911754472.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1924366879.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890459284.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911754472.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1924366879.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890459284.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911754472.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1924366879.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890459284.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911754472.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1924366879.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890459284.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911754472.0000021CE3BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 47%
Source: file.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9e3fb81-0d0b-4a1e-b8d8-29e002a660ae} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cc8270710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1320 -parentBuildID 20230927232528 -prefsHandle 2692 -prefMapHandle 1060 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fde0a241-5872-4d7e-a943-4e71d11b0b1b} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cd504ae10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1540 -prefMapHandle 5028 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d56f2c-6efd-41a2-b64b-1bd529b5955a} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cdbe8e710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9e3fb81-0d0b-4a1e-b8d8-29e002a660ae} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cc8270710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1320 -parentBuildID 20230927232528 -prefsHandle 2692 -prefMapHandle 1060 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fde0a241-5872-4d7e-a943-4e71d11b0b1b} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cd504ae10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1540 -prefMapHandle 5028 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d56f2c-6efd-41a2-b64b-1bd529b5955a} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cdbe8e710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000D.00000003.1922717959.0000021CD9260000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929531633.0000021CD9254000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000D.00000003.1911586225.0000021CD5989000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1929225773.0000021CD9346000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921957442.0000021CD9346000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000D.00000003.1918778484.0000021CDA4DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928247858.0000021CDA4DA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1929616529.0000021CD921C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922909788.0000021CD921B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000D.00000003.1922717959.0000021CD9260000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929531633.0000021CD9254000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000D.00000003.1911586225.0000021CD5989000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1929616529.0000021CD921C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922909788.0000021CD921B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1929616529.0000021CD921C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922909788.0000021CD921B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1929616529.0000021CD921C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922909788.0000021CD921B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C742DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C90A76 push ecx; ret		0_2_00C90A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C75C92 push 00000043h; retf		0_2_00C75C94

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C8F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D01C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95916

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F6056CB577 rdtsc

16_2_000001F6056CB577

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CDDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE68EE FindFirstFileW,FindClose,	0_2_00CE68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00CE698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CDD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CDD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CE9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CE979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00CE9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CE5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C742DE

Source: firefox.exe, 00000011.00000002.2926914097.00000203646A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhbs
Source: firefox.exe, 0000000F.00000002.2920801242.000001FDB997A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2920801242.000001FDB99A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2919260623.000001F604DEA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927454343.000001F605790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2927379115.000001FDB9D1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2928381432.000001FDB9E08000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2920801242.000001FDB99A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927454343.000001F605790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000011.00000002.2920614711.00000203642DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpZjd

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F6056CB577 rdtsc

16_2_000001F6056CB577

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CEEAA2 BlockInput,

0_2_00CEEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CA2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C94CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C94CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00CD0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CA2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C9083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C909D5 SetUnhandledExceptionFilter,	0_2_00C909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C90C21

Source: C:\Users\user\Desktop\file.exe

0_2_00CD1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CB2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CDB226 SendInput,keybd_event,

0_2_00CDB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00CF22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00CD0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00CD1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C90698 cpuid

0_2_00C90698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00CE8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CCD27A GetUserNameW,

0_2_00CCD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00CABB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C742DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1723619393.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7272, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1723619393.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7272, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00CF1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CF1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	41%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://poczta.interia.pl/mh/?mailto=%s	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.193	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	151.101.1.91	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	142.250.185.174	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	142.250.185.142	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.1.140	true	false		unknown
ipv4only.arpa	192.0.0.171	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://contile.services.mozilla.com/SELECT	firefox.exe, 0000000D.00000003.1907341842.0000021CE01BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931724246.0000021CE01FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752401054.0000021CE01C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925593833.0000021CE01C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895452092.0000021CE01BF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000010.00000002.2921520697.000001F6051C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2922472668.00000203645C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2922394955.000001FDB9BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921520697.000001F6051E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2927382658.0000020364805000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1846076822.0000021CE0047000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853385603.0000021CE0047000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.2922472668.000002036458E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.o	firefox.exe, 0000000D.00000003.1776768700.0000021CD960E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881083776.0000021CD960E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867015644.0000021CD960E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1925805973.0000021CE0186000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1706025628.0000021CD7F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705894653.0000021CD7F5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705498326.0000021CD7D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705774989.0000021CD7F3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705606587.0000021CD7F1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1753328244.0000021CD99B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920053902.0000021CD93B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1753328244.0000021CD9954000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1892813192.0000021CE18F5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1925966168.0000021CDFFB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764708272.0000021CDFFB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1706025628.0000021CD7F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705894653.0000021CD7F5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705498326.0000021CD7D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705774989.0000021CD7F3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773217807.0000021CD949D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922399692.0000021CD9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851049230.0000021CD949D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705606587.0000021CD7F1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1900450127.0000021CDAAC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916044912.0000021CDAAC9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1706025628.0000021CD7F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705894653.0000021CD7F5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705498326.0000021CD7D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705774989.0000021CD7F3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705606587.0000021CD7F1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1914614905.0000021CDB7ED000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2922394955.000001FDB9BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921520697.000001F6051E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2927382658.0000020364805000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1929879498.0000021CE36D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1893303886.0000021CE064C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1925966168.0000021CDFFB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764708272.0000021CDFFB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2922394955.000001FDB9BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921520697.000001F6051E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2927382658.0000020364805000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1893303886.0000021CE064C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921520697.000001F60510A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2922472668.000002036450C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1787220127.0000021CD886C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1922064463.0000021CD9329000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000010.00000002.2921520697.000001F6051C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2922472668.00000203645C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1927114884.0000021CDBE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1786832770.0000021CD9640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1782406335.0000021CD967B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1828085982.0000021CD90BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887572308.0000021CD90BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775873583.0000021CD90BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1770178654.0000021CD90BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768477287.0000021CD90BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1929879498.0000021CE365A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1753328244.0000021CD99B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920053902.0000021CD93B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1922357988.0000021CD92A4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1764708272.0000021CDFFB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1930186467.0000021CE253D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921520697.000001F605112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2922472668.0000020364513000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1892813192.0000021CE18F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1773217807.0000021CD947B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1852091919.0000021CD90B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899032637.0000021CDB327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775873583.0000021CD90B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891235140.0000021CE36EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919315554.0000021CDA410000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851423334.0000021CD9451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846076822.0000021CE0036000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887999446.0000021CD9408000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864361753.0000021CD86C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915368528.0000021CDB327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900914678.0000021CDAA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828085982.0000021CD90BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914614905.0000021CDB7D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828085982.0000021CD90DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881230379.0000021CD90F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846651156.0000021CDB9E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842526793.0000021CD8C76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899032637.0000021CDB337000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932702198.0000021CDB7DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832989374.0000021CD86CF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1900450127.0000021CDAAC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916044912.0000021CDAAC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1900450127.0000021CDAAC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916044912.0000021CDAAC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916044912.0000021CDAAC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000D.00000003.1755529460.0000021CE03F7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897504464.0000021CDFF38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914069324.0000021CDFF46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764708272.0000021CDFF48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1846076822.0000021CE0047000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853385603.0000021CE0047000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1925966168.0000021CDFFB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764708272.0000021CDFFB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896885796.0000021CDFFB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1892813192.0000021CE1885000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1925966168.0000021CDFFB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764708272.0000021CDFFB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1708710784.0000021CD7B33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1897664484.0000021CDBEE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926610665.0000021CDBEE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1786832770.0000021CD9640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787641710.0000021CD8875000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787220127.0000021CD886C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1782406335.0000021CD967B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1708710784.0000021CD7B33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1922064463.0000021CD9329000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2922394955.000001FDB9BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921520697.000001F6051E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2927382658.0000020364805000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1892813192.0000021CE1898000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752969495.0000021CDA540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890081399.0000021CE3E87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1705606587.0000021CD7F1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1896885796.0000021CDFFA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773217807.0000021CD949D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922399692.0000021CD9299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851049230.0000021CD949D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705606587.0000021CD7F1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1892813192.0000021CE18F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2926551235.000001FDB9C20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2925761107.000001F605200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2921932286.0000020364360000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1893303886.0000021CE064C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vk.com/	firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1897504464.0000021CDFF38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914069324.0000021CDFF46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764708272.0000021CDFF48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1787220127.0000021CD886C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1708710784.0000021CD7B33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000D.00000003.1764708272.0000021CDFFB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.1747472922.0000021CE00A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.185.174	youtube.com	United States	15169	GOOGLEUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542975
Start date and time:	2024-10-27 02:12:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.208.54.237, 52.13.186.250, 44.231.229.39, 142.250.185.142, 2.22.61.59, 2.22.61.56, 172.217.23.110, 142.250.184.234
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7688 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:13:06	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	1.zip	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
star-mini.c10r.facebook.com	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	48.70.9.8
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	33.116.222.61
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	56.137.166.170
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	48.192.213.242
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.22.199.153
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	48.70.9.8
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	33.116.222.61
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	56.137.166.170
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	48.192.213.242
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.22.199.153
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_5949e2ad-d4bf-4154-8303-ee11df99a20c.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183339172896362
Encrypted:	false
SSDEEP:	192:djMXOo7cbhbVbTbfbRbObtbyEl7nMrIJA6WnSrDtTUd/SkDran:dYTcNhnzFSJsr7BnSrDhUd/8n
MD5:	FEB087505964EEC1E22CC5EEA85152D9
SHA1:	4E8E9C9541F17FA758328EEF59EBCF74AF1128BA
SHA-256:	EA6B3593110A8210A177CB27CF42021D76AE3CBE6A1101C898521F370DE32FEB
SHA-512:	597D772B2658E8CF5FA220135E59B51262517F02D9FCFF5DAD54D35C583D90F9BAAEDF071F932FE4179E395A1E0AEC8A3EABAC8EA3D5D1DBC07787AB1AD0E9BC
Malicious:	false
Preview:	{"type":"uninstall","id":"5949e2ad-d4bf-4154-8303-ee11df99a20c","creationDate":"2024-10-27T01:53:20.765Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_5949e2ad-d4bf-4154-8303-ee11df99a20c.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183339172896362
Encrypted:	false
SSDEEP:	192:djMXOo7cbhbVbTbfbRbObtbyEl7nMrIJA6WnSrDtTUd/SkDran:dYTcNhnzFSJsr7BnSrDhUd/8n
MD5:	FEB087505964EEC1E22CC5EEA85152D9
SHA1:	4E8E9C9541F17FA758328EEF59EBCF74AF1128BA
SHA-256:	EA6B3593110A8210A177CB27CF42021D76AE3CBE6A1101C898521F370DE32FEB
SHA-512:	597D772B2658E8CF5FA220135E59B51262517F02D9FCFF5DAD54D35C583D90F9BAAEDF071F932FE4179E395A1E0AEC8A3EABAC8EA3D5D1DBC07787AB1AD0E9BC
Malicious:	false
Preview:	{"type":"uninstall","id":"5949e2ad-d4bf-4154-8303-ee11df99a20c","creationDate":"2024-10-27T01:53:20.765Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92384722383293
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNNEh:8S+OfJQPUFpOdwNIOdYVjvYcXaNLJo8P
MD5:	8A0BAD2D47296B8B77EF18557DF9BD78
SHA1:	305B66994C604094983217536B0FA82F74F662B4
SHA-256:	F3F8C8909983F7AF2298ED8CBAD2BE370119B988FBCF56C28D8DC6B93E47E106
SHA-512:	925DC1A4DA69D01B10CCD2716933A31B43F48212C183ACE31605728BADB03BADEAA695B07DD7EA5BB4CE7ED59FE060796F05AD1A3BE63F07D8FA7B6D5B45F4AC
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92384722383293
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNNEh:8S+OfJQPUFpOdwNIOdYVjvYcXaNLJo8P
MD5:	8A0BAD2D47296B8B77EF18557DF9BD78
SHA1:	305B66994C604094983217536B0FA82F74F662B4
SHA-256:	F3F8C8909983F7AF2298ED8CBAD2BE370119B988FBCF56C28D8DC6B93E47E106
SHA-512:	925DC1A4DA69D01B10CCD2716933A31B43F48212C183ACE31605728BADB03BADEAA695B07DD7EA5BB4CE7ED59FE060796F05AD1A3BE63F07D8FA7B6D5B45F4AC
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07333858257979299
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	FD71C07F9A6DBBA6CDAC2D624A08BA19
SHA1:	A55FEFCC4E6879669BFE6018D5F868002E85928F
SHA-256:	1E7273547CFD55847C559F1D9FADE712888D66FFB65EB6A00889DEAF86C44E23
SHA-512:	0562415D00AC3048E1B676B75A081C94A49CD08B228D5FEA2EB9D4E965F890C4AE195804DE563F69FFBB99CC8D7B65EB1FFC18A1405E82439DF323EEB6DBE888
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFpA5m5eN8HY1lstFpA5m5eNklD89//alEl:GtWtwN84WtwNkZ89XuM
MD5:	CF8E0B5EE777B9E31014DAA185DF1EF7
SHA1:	FF7229E565CBB37DE8030B3B991DE40F83677386
SHA-256:	F8459EC2734C2B5DD3A8C4DE2556A7149A317159C779D6CA6159356391844652
SHA-512:	640EB270B53E252ACF2DDC6FA013E2D28E59B04D1F22BA47B659C2712D02ABE5ADD3713FE59C22F6E4E94420EA45E8C5E948EBDDE9CF723518BF5A2952A2300A
Malicious:	false
Preview:	..-.....................~.;..<.b].....Y..I.G..!..-.....................~.;..<.b].....Y..I.G..!........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03998118428817617
Encrypted:	false
SSDEEP:	3:Ol1EpxNI4TwH4wl8rEXsxdwhml8XW3R2:K2SHrl8dMhm93w
MD5:	99F6D64C2E5F1170AACBA00DD3A819DA
SHA1:	6D81A0A4B361AC5B934C4E374FF4E2AF603DBB62
SHA-256:	112E6D7619C6588760B3EED6E8A7856831F6E3C3DE42C62EA870ABD73F95BB58
SHA-512:	9971BF48457FA71C9A87AB03D4EAB6454569DAE1129486A45193504B0E07404C0CD306C21F5757C2900C374EE9CCFAEBE257C6C7D97BA457744385BFE88ACCFF
Malicious:	false
Preview:	7....-..........].....Yb..pt...........].....Y.;.~b.<.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494001104187165
Encrypted:	false
SSDEEP:	192:YnaRtLYbBp6Qhj4qyaaXN6KNCNJb5RfGNBw8dtSl:VeeqPWulcwq0
MD5:	284BDB000978F8EECA63B6A292922B86
SHA1:	3515BCFA547621D9739776E67A515E32BF6FBDE6
SHA-256:	F2A182A2599B9C5187547E03D9312740A19FEDB6E5BE5F0E436B865ADE30BE9C
SHA-512:	5821146D3A1A4EB022FC05583F72D914CC8DB94BCD7A2DB948E54ACEF8E5905EAB1275B4425CC03068B0815E8FC415CA134C0A60EB25148E29F5A9438422F9A2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729993971);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729993971);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729993971);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172999

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494001104187165
Encrypted:	false
SSDEEP:	192:YnaRtLYbBp6Qhj4qyaaXN6KNCNJb5RfGNBw8dtSl:VeeqPWulcwq0
MD5:	284BDB000978F8EECA63B6A292922B86
SHA1:	3515BCFA547621D9739776E67A515E32BF6FBDE6
SHA-256:	F2A182A2599B9C5187547E03D9312740A19FEDB6E5BE5F0E436B865ADE30BE9C
SHA-512:	5821146D3A1A4EB022FC05583F72D914CC8DB94BCD7A2DB948E54ACEF8E5905EAB1275B4425CC03068B0815E8FC415CA134C0A60EB25148E29F5A9438422F9A2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729993971);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729993971);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729993971);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172999

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.3372372242302415
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSjLXnIg6J/pnxQwRlscT5sKt07U3eHVQj6THamhujJlOsIomNVr0ay:GUpOx2YnRfsU3eHTH4JlIquR4
MD5:	0D9EBAB3997E568BAF3B2A240D175726
SHA1:	D7E680BC2F649A4CB3431C62ED946B9F54E70E2C
SHA-256:	D8B02B6C5B24FE3EA46CF80323DEEB889C6E09D1AC499CF333A00FB9B207A84F
SHA-512:	F3B678DA0892E06DCD2F5840AA07CDF6F34260A866D13389A71F35E5F003F12FF724371D37C3B79E16C71FB3229D2549920E2E36B2833AE9868F36A34D71E883
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a0956618-1d38-4560-bbd8-ab6896f9f7d8}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729993977624,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..P40594...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...47114,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.3372372242302415
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSjLXnIg6J/pnxQwRlscT5sKt07U3eHVQj6THamhujJlOsIomNVr0ay:GUpOx2YnRfsU3eHTH4JlIquR4
MD5:	0D9EBAB3997E568BAF3B2A240D175726
SHA1:	D7E680BC2F649A4CB3431C62ED946B9F54E70E2C
SHA-256:	D8B02B6C5B24FE3EA46CF80323DEEB889C6E09D1AC499CF333A00FB9B207A84F
SHA-512:	F3B678DA0892E06DCD2F5840AA07CDF6F34260A866D13389A71F35E5F003F12FF724371D37C3B79E16C71FB3229D2549920E2E36B2833AE9868F36A34D71E883
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a0956618-1d38-4560-bbd8-ab6896f9f7d8}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729993977624,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..P40594...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...47114,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.3372372242302415
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSjLXnIg6J/pnxQwRlscT5sKt07U3eHVQj6THamhujJlOsIomNVr0ay:GUpOx2YnRfsU3eHTH4JlIquR4
MD5:	0D9EBAB3997E568BAF3B2A240D175726
SHA1:	D7E680BC2F649A4CB3431C62ED946B9F54E70E2C
SHA-256:	D8B02B6C5B24FE3EA46CF80323DEEB889C6E09D1AC499CF333A00FB9B207A84F
SHA-512:	F3B678DA0892E06DCD2F5840AA07CDF6F34260A866D13389A71F35E5F003F12FF724371D37C3B79E16C71FB3229D2549920E2E36B2833AE9868F36A34D71E883
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a0956618-1d38-4560-bbd8-ab6896f9f7d8}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729993977624,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..P40594...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...47114,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034101531007739
Encrypted:	false
SSDEEP:	48:YrSAYrw6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycUyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	C138D6A78B283E912EED1CD51D981084
SHA1:	8BF93219696EB21C514A7B34A9CAB45CA4F3F31D
SHA-256:	04831DA32333EF0BFFAF6A744264274520608D4119304E8230316941528160E5
SHA-512:	6CD89A03FEF997D9CC31C615B8687D4A9A2B42CA2929A40F9438643CF1A452F10801B852DCB5E80AC34C57186ADFD03DF32A1C35A718221BAD0949218F1EE665
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-27T01:52:40.768Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034101531007739
Encrypted:	false
SSDEEP:	48:YrSAYrw6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycUyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	C138D6A78B283E912EED1CD51D981084
SHA1:	8BF93219696EB21C514A7B34A9CAB45CA4F3F31D
SHA-256:	04831DA32333EF0BFFAF6A744264274520608D4119304E8230316941528160E5
SHA-512:	6CD89A03FEF997D9CC31C615B8687D4A9A2B42CA2929A40F9438643CF1A452F10801B852DCB5E80AC34C57186ADFD03DF32A1C35A718221BAD0949218F1EE665
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-27T01:52:40.768Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584679170743758
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	085a2d34bb54fb4307229313b154231a
SHA1:	92f875b6f66a2391ce5cd4a7ec771811b97b4349
SHA256:	3f8ba298be141ece1ab099ad1383eb19f597be3e7823ff603b8cad470258f38f
SHA512:	13fb89798c73540a23ea0964f47f0cf3fafde33e0e1a826f9cfcf96bbdae957db2512d0dd3af3250a7fcad144a2eeffdad7b85f8764dce55a7cd9dd2a986e0de
SSDEEP:	12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TP:GqDEvCTbMWu7rQYlBQcBiT6rprG8abP
TLSH:	76159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671D8411 [Sun Oct 27 00:06:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FBCBC637D53h
jmp 00007FBCBC63765Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBCBC63783Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBCBC63780Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FBCBC63A3FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FBCBC63A448h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FBCBC63A431h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	95e104d1262c3568684a64bbe4a554e0	False	0.31578817246835444	data	5.373775132327272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 02:13:02.834646940 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:02.834738970 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:02.837385893 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:02.846182108 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:02.846203089 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:03.476694107 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:03.476819992 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:03.485603094 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:03.485618114 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:03.485728025 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:03.485966921 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:03.486032009 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:05.154635906 CEST	49738	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:05.154711008 CEST	443	49738	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:05.154936075 CEST	49738	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:05.157077074 CEST	49738	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:05.157114029 CEST	443	49738	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:05.353107929 CEST	49739	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:05.353158951 CEST	443	49739	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:05.356817007 CEST	49739	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:05.359250069 CEST	49739	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:05.359268904 CEST	443	49739	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:05.368622065 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:05.374044895 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:05.385931969 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:05.386115074 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:05.391458035 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:05.739120007 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:05.739219904 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:05.740456104 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:05.746493101 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:05.746510029 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:05.774645090 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:05.774673939 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:05.792691946 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:05.793433905 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:05.793462992 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:05.972510099 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:06.016525984 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.018352032 CEST	443	49738	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.018445969 CEST	49738	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.019357920 CEST	443	49738	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.019437075 CEST	49738	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.178340912 CEST	49738	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.178399086 CEST	443	49738	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.178503990 CEST	49738	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.179219007 CEST	443	49738	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.179348946 CEST	49738	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.196202040 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.196274042 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.197640896 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.199656010 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.199696064 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.215336084 CEST	443	49739	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.217185020 CEST	49739	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.218847036 CEST	443	49739	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.220798016 CEST	49739	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.226572037 CEST	49739	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.226583004 CEST	443	49739	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.226712942 CEST	49739	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.226851940 CEST	443	49739	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.227133989 CEST	49745	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.227155924 CEST	443	49745	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.232886076 CEST	49739	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.232928038 CEST	49745	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.234961033 CEST	49745	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:06.234977007 CEST	443	49745	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:06.236195087 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.241791010 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:06.241885900 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.242168903 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.247608900 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:06.315268040 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.315304041 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:06.315661907 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.315867901 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.315886021 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:06.369041920 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.369153023 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.375685930 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.375708103 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.375813961 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.375998974 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.376255989 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.376323938 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.376327038 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.376485109 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.378433943 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.378467083 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.407529116 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:06.407545090 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:06.407620907 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:06.411999941 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:06.412014961 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:06.412619114 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:06.415590048 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:06.415695906 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:06.415791988 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:06.415858984 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:06.463728905 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.469577074 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:06.480266094 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.625447035 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.630873919 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:06.631011963 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.631337881 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.636801004 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:06.827817917 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.834764004 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.849150896 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:06.850946903 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.854089022 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.854113102 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.854242086 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.854779959 CEST	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.854823112 CEST	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.854852915 CEST	443	49744	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.855920076 CEST	49744	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.855998039 CEST	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.856611967 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:06.858025074 CEST	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:06.858052969 CEST	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.858217955 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:06.935595989 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:06.938565016 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.942734957 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.942749023 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:06.943146944 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:06.945699930 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.945847034 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.945882082 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:06.946361065 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.946402073 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:06.946465015 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.946485996 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.946711063 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.946891069 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:06.946907997 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:06.991580963 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:06.992260933 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.000483036 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.000513077 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:07.000543118 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.001092911 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:07.001359940 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.093867064 CEST	443	49745	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:07.094543934 CEST	49745	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:07.096401930 CEST	443	49745	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:07.115010977 CEST	49745	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:07.155350924 CEST	49745	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:07.162121058 CEST	49745	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:07.162137985 CEST	443	49745	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:07.162218094 CEST	49745	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:07.162806034 CEST	443	49745	142.250.185.174	192.168.2.4
Oct 27, 2024 02:13:07.175442934 CEST	49745	443	192.168.2.4	142.250.185.174
Oct 27, 2024 02:13:07.219926119 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:07.276278973 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:07.481331110 CEST	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:07.483115911 CEST	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.524569035 CEST	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.524595976 CEST	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:07.524640083 CEST	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.525202990 CEST	443	49750	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:07.526916981 CEST	49750	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.593048096 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:07.593210936 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:07.595753908 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:07.595762014 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:07.596509933 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:07.598304987 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:07.598398924 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:07.598655939 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 27, 2024 02:13:07.599524975 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 27, 2024 02:13:07.820926905 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.821011066 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:07.822423935 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:07.823473930 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.824954987 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:07.824986935 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:07.835572004 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:08.092891932 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:08.122905016 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:08.724674940 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:08.733886957 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:08.733967066 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:08.734019995 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:08.734040022 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:08.734049082 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:08.734077930 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:08.734097958 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:08.734224081 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:08.743664980 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:08.851371050 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:08.909622908 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:09.075885057 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:09.078177929 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:09.078258038 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:09.078917027 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:09.080893993 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:09.080929041 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:09.126604080 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:09.213728905 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:09.213794947 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:09.351190090 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:09.351281881 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.356364012 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.356384039 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:09.356508970 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.356590986 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:09.356967926 CEST	49758	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.356978893 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.357059956 CEST	443	49758	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:09.357145071 CEST	49758	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.358603954 CEST	49758	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.358639956 CEST	443	49758	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:09.695838928 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:09.695930958 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:09.700598001 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:09.700623035 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:09.700664997 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:09.701067924 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:09.701131105 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:09.986828089 CEST	443	49758	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:09.987945080 CEST	49758	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.993159056 CEST	49758	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.993211985 CEST	443	49758	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:09.993319035 CEST	49758	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:09.993513107 CEST	443	49758	34.117.188.166	192.168.2.4
Oct 27, 2024 02:13:09.993583918 CEST	49758	443	192.168.2.4	34.117.188.166
Oct 27, 2024 02:13:12.939500093 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:12.945014000 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:12.959465981 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:12.959498882 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:12.959969997 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:12.961450100 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:12.961467981 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:12.988080978 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:12.993458986 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:13.034080982 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:13.034146070 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:13.034501076 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:13.035877943 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:13.035914898 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:13.036282063 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:13.036294937 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:13.036421061 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:13.036562920 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:13.036576986 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:13.063558102 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:13.108813047 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:13.111339092 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:13.177917004 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:13.368659973 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:13.374228954 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:13.492633104 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:13.543231964 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:13.598242044 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:13.598351002 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:13.602931976 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:13.602958918 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:13.603038073 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:13.603302956 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:13.604980946 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:13.660229921 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:13.660315037 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:13.662889957 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:13.662909031 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:13.663253069 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:13.665535927 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:13.665611029 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:13.665745974 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:13.665858984 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:13.687643051 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:13.687725067 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:13.691816092 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:13.691843987 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:13.691888094 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:13.692105055 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:13.693114996 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:17.732120991 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:17.737567902 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:17.754147053 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:17.754215002 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:17.754652977 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:17.756695032 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:17.756724119 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:17.855593920 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:17.909043074 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:18.016123056 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.016191959 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.016427994 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.016463041 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.018315077 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.018414974 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.018477917 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.018498898 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.018603086 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.018620014 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.373116970 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.375979900 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.382060051 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.382096052 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.382169008 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.382610083 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.382688046 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.635889053 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.637327909 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.642457008 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.642632008 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.646155119 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.646182060 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.646603107 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.649513006 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.649538994 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.649950027 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.653085947 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.653208971 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.653306961 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.653383970 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.653512001 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:18.653578997 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.653604984 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:18.653755903 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:21.035126925 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:21.040724039 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:21.149554968 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:21.152178049 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:21.152260065 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:21.153606892 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:21.155175924 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:21.155586004 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:21.155627966 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:21.158842087 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:21.200397015 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:21.238462925 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:21.238548040 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:21.240674973 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:21.241974115 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:21.242014885 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:21.273135900 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:21.322858095 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:21.602055073 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:21.607713938 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:21.728933096 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:21.776005983 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:21.782258987 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:21.786531925 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:21.856421947 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:21.859590054 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:21.889786005 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:21.889852047 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:21.889934063 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:21.890081882 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:21.890130043 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:21.890160084 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 27, 2024 02:13:21.890180111 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:21.890338898 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:13:21.890678883 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:21.891041040 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:22.858486891 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:22.864084005 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:22.982022047 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:23.025839090 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:23.080859900 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:23.086476088 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:23.205259085 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:23.248594999 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:31.098917961 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.098953962 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.101130962 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.101304054 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.101315022 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.103733063 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.103816986 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:31.106703043 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.106954098 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.106991053 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:31.108138084 CEST	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:31.108165979 CEST	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:31.109707117 CEST	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:31.111170053 CEST	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:31.111200094 CEST	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:31.113915920 CEST	49776	443	192.168.2.4	151.101.1.91
Oct 27, 2024 02:13:31.113993883 CEST	443	49776	151.101.1.91	192.168.2.4
Oct 27, 2024 02:13:31.137934923 CEST	49776	443	192.168.2.4	151.101.1.91
Oct 27, 2024 02:13:31.151834965 CEST	49776	443	192.168.2.4	151.101.1.91
Oct 27, 2024 02:13:31.151885033 CEST	443	49776	151.101.1.91	192.168.2.4
Oct 27, 2024 02:13:31.152322054 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 27, 2024 02:13:31.152358055 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 27, 2024 02:13:31.164360046 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 27, 2024 02:13:31.165844917 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 27, 2024 02:13:31.165860891 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 27, 2024 02:13:31.718255997 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.718350887 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.722934008 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.722945929 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.723289967 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.725879908 CEST	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:31.725984097 CEST	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:31.727539062 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.727739096 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.727794886 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.727818966 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.729197979 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:31.731069088 CEST	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:31.731084108 CEST	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:31.731162071 CEST	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:31.731275082 CEST	443	49775	35.190.72.216	192.168.2.4
Oct 27, 2024 02:13:31.732012033 CEST	49775	443	192.168.2.4	35.190.72.216
Oct 27, 2024 02:13:31.732287884 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.734560013 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.734570980 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:31.734827042 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:31.735063076 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:31.737386942 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.737483978 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.737587929 CEST	443	49774	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:31.738357067 CEST	49774	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.740267038 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:31.767729998 CEST	443	49776	151.101.1.91	192.168.2.4
Oct 27, 2024 02:13:31.767750978 CEST	443	49776	151.101.1.91	192.168.2.4
Oct 27, 2024 02:13:31.767821074 CEST	49776	443	192.168.2.4	151.101.1.91
Oct 27, 2024 02:13:31.770302057 CEST	49776	443	192.168.2.4	151.101.1.91
Oct 27, 2024 02:13:31.770330906 CEST	443	49776	151.101.1.91	192.168.2.4
Oct 27, 2024 02:13:31.770734072 CEST	443	49776	151.101.1.91	192.168.2.4
Oct 27, 2024 02:13:31.773495913 CEST	49776	443	192.168.2.4	151.101.1.91
Oct 27, 2024 02:13:31.773597002 CEST	49776	443	192.168.2.4	151.101.1.91
Oct 27, 2024 02:13:31.773690939 CEST	443	49776	151.101.1.91	192.168.2.4
Oct 27, 2024 02:13:31.775779009 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 27, 2024 02:13:31.775791883 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 27, 2024 02:13:31.779663086 CEST	49776	443	192.168.2.4	151.101.1.91
Oct 27, 2024 02:13:31.779700994 CEST	49776	443	192.168.2.4	151.101.1.91
Oct 27, 2024 02:13:31.779717922 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 27, 2024 02:13:31.782619953 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.782670021 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.783535957 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.783839941 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.783869028 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.785609007 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.785638094 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.785878897 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 27, 2024 02:13:31.785885096 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 27, 2024 02:13:31.785959959 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 27, 2024 02:13:31.786014080 CEST	443	49777	35.201.103.21	192.168.2.4
Oct 27, 2024 02:13:31.786053896 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.786279917 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.786293983 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.787118912 CEST	49777	443	192.168.2.4	35.201.103.21
Oct 27, 2024 02:13:31.789855003 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.789884090 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.794929981 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.795121908 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.795136929 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.800750971 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.800815105 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:31.800934076 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.801048994 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:31.801074982 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:31.858259916 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:31.863486052 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:31.868892908 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:31.901940107 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:31.935353994 CEST	443	49773	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:31.935422897 CEST	49773	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:31.987186909 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:32.033540964 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:32.401226044 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.401442051 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.404738903 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.404762983 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.405111074 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.407807112 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.407903910 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.408024073 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.408086061 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.408087015 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.408168077 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.410278082 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.410285950 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.410986900 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.411420107 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.413835049 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.413907051 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.414040089 CEST	443	49779	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.414055109 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.414068937 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.416429043 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.416439056 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.416769028 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.417295933 CEST	49779	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.419380903 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:32.419955015 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.420021057 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.420391083 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 27, 2024 02:13:32.422218084 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 27, 2024 02:13:32.424765110 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:32.434433937 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:32.434513092 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:32.436820984 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:32.436841965 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:32.437592030 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:32.438931942 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:32.438997984 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:32.439213991 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 27, 2024 02:13:32.439273119 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:32.439580917 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 27, 2024 02:13:32.543703079 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:32.546701908 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:32.552234888 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:32.588316917 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:32.671251059 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:32.719928026 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:32.931233883 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:32.931355000 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:32.931626081 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:32.933137894 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:32.933187008 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:33.556662083 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:33.556751966 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:33.561372042 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:33.561398029 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:33.561444044 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:33.561681032 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:33.562675953 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:33.564249992 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:33.569628954 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:33.687309027 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:33.690526962 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:33.695996046 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:33.738370895 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:33.814167976 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:33.860749006 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:43.694207907 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:43.699923992 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:43.825706959 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:43.831392050 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:53.575309038 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:53.575361013 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:53.575988054 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:53.578152895 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:53.578171968 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:53.719754934 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:53.725466967 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:53.835495949 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:53.841032982 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:54.191788912 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:54.191968918 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:54.197591066 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:54.197603941 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:54.197731972 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:54.197810888 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 27, 2024 02:13:54.198738098 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:13:54.201560974 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:54.207070112 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:54.325315952 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:54.328710079 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:54.334197998 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:54.367774963 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:13:54.452861071 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:13:54.499433994 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:01.258882999 CEST	49807	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.258975983 CEST	443	49807	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.259021997 CEST	49808	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.259124994 CEST	443	49808	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.259124994 CEST	49809	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.259164095 CEST	443	49809	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.259365082 CEST	49809	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.259371996 CEST	49807	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.259377003 CEST	49808	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.259507895 CEST	49807	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.259529114 CEST	443	49807	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.259644032 CEST	49809	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.259660959 CEST	443	49809	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.259742975 CEST	49808	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.259769917 CEST	443	49808	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.870536089 CEST	443	49808	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.870738983 CEST	49808	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.873982906 CEST	49808	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.873991013 CEST	443	49808	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.874305964 CEST	443	49808	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.876396894 CEST	49808	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.876483917 CEST	443	49809	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.876543999 CEST	49808	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.876591921 CEST	443	49808	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.879236937 CEST	49808	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.879261017 CEST	49809	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.882363081 CEST	49809	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.882378101 CEST	443	49809	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.882885933 CEST	443	49809	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.883519888 CEST	443	49807	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.883702040 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:01.884315014 CEST	49807	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.886571884 CEST	49807	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.886590004 CEST	443	49807	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.886923075 CEST	443	49807	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.888454914 CEST	49809	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.888580084 CEST	49809	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.888659000 CEST	443	49809	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.889134884 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:01.889184952 CEST	49809	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.889533997 CEST	49807	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.889619112 CEST	49807	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:01.889718056 CEST	443	49807	34.120.208.123	192.168.2.4
Oct 27, 2024 02:14:01.890381098 CEST	49807	443	192.168.2.4	34.120.208.123
Oct 27, 2024 02:14:02.007220984 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:02.030921936 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:02.036343098 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:02.048511028 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:02.155149937 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:02.198044062 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:09.178474903 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:09.183837891 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:09.301920891 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:09.305277109 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:09.310740948 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:09.354079008 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:09.429400921 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:09.469887018 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:19.315738916 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:19.321012020 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:19.431982994 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:19.437273979 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:29.330413103 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:29.336088896 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:29.446409941 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:29.451874018 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:34.230959892 CEST	49990	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:14:34.230997086 CEST	443	49990	34.107.243.93	192.168.2.4
Oct 27, 2024 02:14:34.231293917 CEST	49990	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:14:34.233460903 CEST	49990	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:14:34.233473063 CEST	443	49990	34.107.243.93	192.168.2.4
Oct 27, 2024 02:14:34.860690117 CEST	443	49990	34.107.243.93	192.168.2.4
Oct 27, 2024 02:14:34.860935926 CEST	49990	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:14:34.867805004 CEST	49990	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:14:34.867810011 CEST	443	49990	34.107.243.93	192.168.2.4
Oct 27, 2024 02:14:34.867961884 CEST	49990	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:14:34.868006945 CEST	443	49990	34.107.243.93	192.168.2.4
Oct 27, 2024 02:14:34.869847059 CEST	49990	443	192.168.2.4	34.107.243.93
Oct 27, 2024 02:14:34.871947050 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:34.877417088 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:34.995337963 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:34.999676943 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:35.005445004 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:35.047446966 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:35.124382019 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:35.179107904 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:45.006700993 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:45.144875050 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:45.173747063 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:45.173780918 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:55.173746109 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:55.179372072 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:14:55.189150095 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:14:55.194694996 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 27, 2024 02:15:05.185201883 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:15:05.191744089 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 27, 2024 02:15:05.200826883 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 27, 2024 02:15:05.206242085 CEST	80	49749	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 02:13:02.835306883 CEST	52465	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:02.843461990 CEST	53	52465	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:02.845309019 CEST	62150	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:02.853322029 CEST	53	62150	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.142709017 CEST	65222	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.150248051 CEST	53	65222	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.154938936 CEST	63157	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.162012100 CEST	53	63157	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.164050102 CEST	64584	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.171372890 CEST	53	64584	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.315361023 CEST	64189	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.324099064 CEST	64783	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.331446886 CEST	53	64783	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.342128038 CEST	56853	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.349720955 CEST	53	56853	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.726561069 CEST	61809	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.734544992 CEST	53	61809	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.739793062 CEST	57321	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.747153044 CEST	53	57321	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.751394033 CEST	57287	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.758959055 CEST	53	57287	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.775419950 CEST	57136	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.783139944 CEST	53	57136	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:05.805751085 CEST	64104	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:05.813127041 CEST	53	64104	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:06.187139988 CEST	62476	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:06.194417000 CEST	53	62476	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:06.196737051 CEST	50945	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:06.201567888 CEST	59541	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:06.204360008 CEST	53	50945	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:06.205985069 CEST	65092	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:06.208765030 CEST	53	59541	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:06.210738897 CEST	61457	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:06.214782000 CEST	53	65092	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:06.216254950 CEST	60550	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:06.218179941 CEST	53	61457	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:06.306323051 CEST	52766	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:06.314234018 CEST	53	52766	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:06.315525055 CEST	50041	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:06.322987080 CEST	53	50041	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:06.324290037 CEST	57001	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:06.331537008 CEST	53	57001	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:07.529658079 CEST	63571	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:07.570869923 CEST	53	61200	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:08.508872986 CEST	64504	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:08.735920906 CEST	53	64504	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:08.737119913 CEST	51378	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:08.745352030 CEST	53	51378	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:08.745801926 CEST	50600	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:08.753695965 CEST	53	50600	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:12.959803104 CEST	64501	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:12.960618019 CEST	64443	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:12.966886044 CEST	53	64501	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:12.967845917 CEST	53	64443	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:12.969171047 CEST	60490	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:12.977540970 CEST	53	60490	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:12.979212999 CEST	63259	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:13.015561104 CEST	53	63259	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:13.016208887 CEST	62900	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:13.024276018 CEST	53	62900	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:13.025398016 CEST	60565	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:13.026585102 CEST	50259	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:13.032505035 CEST	53	60565	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:13.034329891 CEST	56594	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:13.035026073 CEST	53	50259	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:13.041619062 CEST	53	56594	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:13.044028997 CEST	53168	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:13.052154064 CEST	53	53168	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:18.017529011 CEST	53463	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:18.025711060 CEST	53	53463	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:21.242484093 CEST	63541	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:21.249932051 CEST	53	63541	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.088668108 CEST	49743	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.088953972 CEST	60902	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.088954926 CEST	53885	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.095885038 CEST	53	49743	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.096057892 CEST	53	60902	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.096584082 CEST	61186	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.096810102 CEST	53	53885	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.096813917 CEST	55268	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.097320080 CEST	55124	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.103976011 CEST	53	55268	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.104422092 CEST	56350	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.104536057 CEST	53	61186	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.104913950 CEST	63229	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.105124950 CEST	53	55124	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.105443001 CEST	57742	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.111741066 CEST	53	56350	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.112221003 CEST	54576	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.112564087 CEST	53	63229	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.112833023 CEST	53	57742	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.112994909 CEST	54156	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.119636059 CEST	53	54576	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.120069027 CEST	53	54156	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.120187044 CEST	56623	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.120578051 CEST	64664	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.127995014 CEST	53	64664	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.128288984 CEST	53	56623	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.128462076 CEST	49995	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.128752947 CEST	62213	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:26.136105061 CEST	53	49995	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:26.136205912 CEST	53	62213	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:31.098613977 CEST	58777	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:31.106275082 CEST	53	58777	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:31.113032103 CEST	61852	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:31.115814924 CEST	53027	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:31.118773937 CEST	64207	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:31.121371031 CEST	53	61852	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:31.124450922 CEST	53	53027	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:31.126583099 CEST	53	64207	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:31.141515017 CEST	52122	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:31.143887043 CEST	58925	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:31.149574041 CEST	53	52122	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:31.151192904 CEST	53	58925	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:31.177109957 CEST	55283	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:31.184824944 CEST	53	55283	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:32.932041883 CEST	62273	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:32.939770937 CEST	53	62273	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:53.573872089 CEST	57940	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:53.581989050 CEST	53	57940	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:53.585674047 CEST	64760	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:53.592938900 CEST	53	64760	1.1.1.1	192.168.2.4
Oct 27, 2024 02:13:54.202470064 CEST	64810	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:13:54.209743977 CEST	53	64810	1.1.1.1	192.168.2.4
Oct 27, 2024 02:14:01.258135080 CEST	53805	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:14:01.265443087 CEST	53	53805	1.1.1.1	192.168.2.4
Oct 27, 2024 02:14:01.883501053 CEST	50007	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:14:34.218991041 CEST	53368	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:14:34.226847887 CEST	53	53368	1.1.1.1	192.168.2.4
Oct 27, 2024 02:14:34.230689049 CEST	64170	53	192.168.2.4	1.1.1.1
Oct 27, 2024 02:14:34.237997055 CEST	53	64170	1.1.1.1	192.168.2.4
Oct 27, 2024 02:14:34.872134924 CEST	57080	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 02:13:02.835306883 CEST	192.168.2.4	1.1.1.1	0xb248	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:02.845309019 CEST	192.168.2.4	1.1.1.1	0x7d54	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:05.142709017 CEST	192.168.2.4	1.1.1.1	0x4cb6	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.154938936 CEST	192.168.2.4	1.1.1.1	0xa879	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.164050102 CEST	192.168.2.4	1.1.1.1	0xae4c	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:05.315361023 CEST	192.168.2.4	1.1.1.1	0xdac1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.324099064 CEST	192.168.2.4	1.1.1.1	0x2e5a	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.342128038 CEST	192.168.2.4	1.1.1.1	0x7b2f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:05.726561069 CEST	192.168.2.4	1.1.1.1	0x233d	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.739793062 CEST	192.168.2.4	1.1.1.1	0xe8fc	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.751394033 CEST	192.168.2.4	1.1.1.1	0x15ff	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:05.775419950 CEST	192.168.2.4	1.1.1.1	0x16cf	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.805751085 CEST	192.168.2.4	1.1.1.1	0x2685	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:06.187139988 CEST	192.168.2.4	1.1.1.1	0x717d	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.196737051 CEST	192.168.2.4	1.1.1.1	0x5692	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.201567888 CEST	192.168.2.4	1.1.1.1	0x2f90	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.205985069 CEST	192.168.2.4	1.1.1.1	0x877d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:06.210738897 CEST	192.168.2.4	1.1.1.1	0xcf67	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.216254950 CEST	192.168.2.4	1.1.1.1	0x1cc5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.306323051 CEST	192.168.2.4	1.1.1.1	0xaeb6	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.315525055 CEST	192.168.2.4	1.1.1.1	0xf616	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.324290037 CEST	192.168.2.4	1.1.1.1	0x7486	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:07.529658079 CEST	192.168.2.4	1.1.1.1	0x95fe	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:08.508872986 CEST	192.168.2.4	1.1.1.1	0x3957	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:08.737119913 CEST	192.168.2.4	1.1.1.1	0x2e65	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:08.745801926 CEST	192.168.2.4	1.1.1.1	0xcb64	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:12.959803104 CEST	192.168.2.4	1.1.1.1	0xab3a	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:12.960618019 CEST	192.168.2.4	1.1.1.1	0xbf04	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:12.969171047 CEST	192.168.2.4	1.1.1.1	0x6151	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:12.979212999 CEST	192.168.2.4	1.1.1.1	0x3b7c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:13.016208887 CEST	192.168.2.4	1.1.1.1	0xb53b	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:13.025398016 CEST	192.168.2.4	1.1.1.1	0x338d	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:13.026585102 CEST	192.168.2.4	1.1.1.1	0x6fb8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:13.034329891 CEST	192.168.2.4	1.1.1.1	0x763c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:13.044028997 CEST	192.168.2.4	1.1.1.1	0x78e2	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:18.017529011 CEST	192.168.2.4	1.1.1.1	0x8d86	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:21.242484093 CEST	192.168.2.4	1.1.1.1	0xc529	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:26.088668108 CEST	192.168.2.4	1.1.1.1	0x4f83	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.088953972 CEST	192.168.2.4	1.1.1.1	0x2229	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.088954926 CEST	192.168.2.4	1.1.1.1	0xd9ed	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096584082 CEST	192.168.2.4	1.1.1.1	0x147e	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096813917 CEST	192.168.2.4	1.1.1.1	0x1672	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.097320080 CEST	192.168.2.4	1.1.1.1	0x17e5	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.104422092 CEST	192.168.2.4	1.1.1.1	0x3e6a	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:26.104913950 CEST	192.168.2.4	1.1.1.1	0xcd4f	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:26.105443001 CEST	192.168.2.4	1.1.1.1	0x3591	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 27, 2024 02:13:26.112221003 CEST	192.168.2.4	1.1.1.1	0xe925	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.112994909 CEST	192.168.2.4	1.1.1.1	0xa99c	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.120187044 CEST	192.168.2.4	1.1.1.1	0x9d74	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.120578051 CEST	192.168.2.4	1.1.1.1	0x6f9d	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.128462076 CEST	192.168.2.4	1.1.1.1	0x90cd	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:26.128752947 CEST	192.168.2.4	1.1.1.1	0xb3ad	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:31.098613977 CEST	192.168.2.4	1.1.1.1	0xc07c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.113032103 CEST	192.168.2.4	1.1.1.1	0x54f5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 27, 2024 02:13:31.115814924 CEST	192.168.2.4	1.1.1.1	0x5644	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.118773937 CEST	192.168.2.4	1.1.1.1	0x80cf	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.141515017 CEST	192.168.2.4	1.1.1.1	0x5de6	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 27, 2024 02:13:31.143887043 CEST	192.168.2.4	1.1.1.1	0x933d	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.177109957 CEST	192.168.2.4	1.1.1.1	0x1e74	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:32.932041883 CEST	192.168.2.4	1.1.1.1	0x2569	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:53.573872089 CEST	192.168.2.4	1.1.1.1	0x8355	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:53.585674047 CEST	192.168.2.4	1.1.1.1	0x4f41	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:13:54.202470064 CEST	192.168.2.4	1.1.1.1	0x1b49	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:14:01.258135080 CEST	192.168.2.4	1.1.1.1	0x11b1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:14:01.883501053 CEST	192.168.2.4	1.1.1.1	0xa911	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:14:34.218991041 CEST	192.168.2.4	1.1.1.1	0x2d80	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:14:34.230689049 CEST	192.168.2.4	1.1.1.1	0xb7b6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 27, 2024 02:14:34.872134924 CEST	192.168.2.4	1.1.1.1	0x6bd0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 02:13:02.806282997 CEST	1.1.1.1	192.168.2.4	0xd99d	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:02.843461990 CEST	1.1.1.1	192.168.2.4	0xb248	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.150248051 CEST	1.1.1.1	192.168.2.4	0x4cb6	No error (0)	youtube.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.162012100 CEST	1.1.1.1	192.168.2.4	0xa879	No error (0)	youtube.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.171372890 CEST	1.1.1.1	192.168.2.4	0xae4c	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 27, 2024 02:13:05.322734118 CEST	1.1.1.1	192.168.2.4	0xdac1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:05.322734118 CEST	1.1.1.1	192.168.2.4	0xdac1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.331446886 CEST	1.1.1.1	192.168.2.4	0x2e5a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.349720955 CEST	1.1.1.1	192.168.2.4	0x7b2f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 27, 2024 02:13:05.734544992 CEST	1.1.1.1	192.168.2.4	0x233d	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.747153044 CEST	1.1.1.1	192.168.2.4	0xe8fc	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.773266077 CEST	1.1.1.1	192.168.2.4	0xcdef	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:05.773266077 CEST	1.1.1.1	192.168.2.4	0xcdef	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:05.783139944 CEST	1.1.1.1	192.168.2.4	0x16cf	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.194417000 CEST	1.1.1.1	192.168.2.4	0x717d	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:06.194417000 CEST	1.1.1.1	192.168.2.4	0x717d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.204360008 CEST	1.1.1.1	192.168.2.4	0x5692	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.208765030 CEST	1.1.1.1	192.168.2.4	0x2f90	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.218179941 CEST	1.1.1.1	192.168.2.4	0xcf67	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.218179941 CEST	1.1.1.1	192.168.2.4	0xcf67	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.223511934 CEST	1.1.1.1	192.168.2.4	0x1cc5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:06.223511934 CEST	1.1.1.1	192.168.2.4	0x1cc5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.314234018 CEST	1.1.1.1	192.168.2.4	0xaeb6	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:06.314234018 CEST	1.1.1.1	192.168.2.4	0xaeb6	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:06.314234018 CEST	1.1.1.1	192.168.2.4	0xaeb6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.322987080 CEST	1.1.1.1	192.168.2.4	0xf616	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:06.331537008 CEST	1.1.1.1	192.168.2.4	0x7486	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 27, 2024 02:13:07.537964106 CEST	1.1.1.1	192.168.2.4	0x95fe	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:08.735920906 CEST	1.1.1.1	192.168.2.4	0x3957	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:08.745352030 CEST	1.1.1.1	192.168.2.4	0x2e65	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:12.948040962 CEST	1.1.1.1	192.168.2.4	0x78ec	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:12.966886044 CEST	1.1.1.1	192.168.2.4	0xab3a	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:12.966886044 CEST	1.1.1.1	192.168.2.4	0xab3a	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:12.966886044 CEST	1.1.1.1	192.168.2.4	0xab3a	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:12.967845917 CEST	1.1.1.1	192.168.2.4	0xbf04	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:13.015561104 CEST	1.1.1.1	192.168.2.4	0x3b7c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:13.032505035 CEST	1.1.1.1	192.168.2.4	0x338d	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:13.032505035 CEST	1.1.1.1	192.168.2.4	0x338d	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:13.033001900 CEST	1.1.1.1	192.168.2.4	0x7bcb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:13.033001900 CEST	1.1.1.1	192.168.2.4	0x7bcb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:13.041619062 CEST	1.1.1.1	192.168.2.4	0x763c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:17.752264977 CEST	1.1.1.1	192.168.2.4	0xd508	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.095885038 CEST	1.1.1.1	192.168.2.4	0x4f83	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:26.095885038 CEST	1.1.1.1	192.168.2.4	0x4f83	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096057892 CEST	1.1.1.1	192.168.2.4	0x2229	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096810102 CEST	1.1.1.1	192.168.2.4	0xd9ed	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:26.096810102 CEST	1.1.1.1	192.168.2.4	0xd9ed	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.103976011 CEST	1.1.1.1	192.168.2.4	0x1672	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.104536057 CEST	1.1.1.1	192.168.2.4	0x147e	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.105124950 CEST	1.1.1.1	192.168.2.4	0x17e5	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.111741066 CEST	1.1.1.1	192.168.2.4	0x3e6a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 02:13:26.111741066 CEST	1.1.1.1	192.168.2.4	0x3e6a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 02:13:26.111741066 CEST	1.1.1.1	192.168.2.4	0x3e6a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 02:13:26.111741066 CEST	1.1.1.1	192.168.2.4	0x3e6a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 27, 2024 02:13:26.112564087 CEST	1.1.1.1	192.168.2.4	0xcd4f	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 27, 2024 02:13:26.112833023 CEST	1.1.1.1	192.168.2.4	0x3591	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 27, 2024 02:13:26.119636059 CEST	1.1.1.1	192.168.2.4	0xe925	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:26.119636059 CEST	1.1.1.1	192.168.2.4	0xe925	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.119636059 CEST	1.1.1.1	192.168.2.4	0xe925	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.119636059 CEST	1.1.1.1	192.168.2.4	0xe925	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.119636059 CEST	1.1.1.1	192.168.2.4	0xe925	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.120069027 CEST	1.1.1.1	192.168.2.4	0xa99c	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.127995014 CEST	1.1.1.1	192.168.2.4	0x6f9d	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.128288984 CEST	1.1.1.1	192.168.2.4	0x9d74	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.128288984 CEST	1.1.1.1	192.168.2.4	0x9d74	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.128288984 CEST	1.1.1.1	192.168.2.4	0x9d74	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:26.128288984 CEST	1.1.1.1	192.168.2.4	0x9d74	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.105833054 CEST	1.1.1.1	192.168.2.4	0x31bb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:31.105833054 CEST	1.1.1.1	192.168.2.4	0x31bb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.106275082 CEST	1.1.1.1	192.168.2.4	0xc07c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.106275082 CEST	1.1.1.1	192.168.2.4	0xc07c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.106275082 CEST	1.1.1.1	192.168.2.4	0xc07c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.106275082 CEST	1.1.1.1	192.168.2.4	0xc07c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.124450922 CEST	1.1.1.1	192.168.2.4	0x5644	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.124450922 CEST	1.1.1.1	192.168.2.4	0x5644	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.124450922 CEST	1.1.1.1	192.168.2.4	0x5644	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.124450922 CEST	1.1.1.1	192.168.2.4	0x5644	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.126583099 CEST	1.1.1.1	192.168.2.4	0x80cf	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:31.126583099 CEST	1.1.1.1	192.168.2.4	0x80cf	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:31.151192904 CEST	1.1.1.1	192.168.2.4	0x933d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:32.464003086 CEST	1.1.1.1	192.168.2.4	0x3f09	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:32.464003086 CEST	1.1.1.1	192.168.2.4	0x3f09	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:13:53.581989050 CEST	1.1.1.1	192.168.2.4	0x8355	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:13:54.209743977 CEST	1.1.1.1	192.168.2.4	0x1b49	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:14:01.254290104 CEST	1.1.1.1	192.168.2.4	0xf282	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:14:01.890626907 CEST	1.1.1.1	192.168.2.4	0xa911	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:14:01.890626907 CEST	1.1.1.1	192.168.2.4	0xa911	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:14:34.226847887 CEST	1.1.1.1	192.168.2.4	0x2d80	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 27, 2024 02:14:34.879837036 CEST	1.1.1.1	192.168.2.4	0x6bd0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 02:14:34.879837036 CEST	1.1.1.1	192.168.2.4	0x6bd0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:13:05.386115074 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:05.972510099 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37728 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	7688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:13:06.242168903 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:06.849150896 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41593 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	7688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:13:06.631337881 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:07.219926119 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37730 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:13:07.822423935 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:08.122905016 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:08.724674940 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:08.851371050 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37731 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:13:12.988080978 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:13.111339092 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37736 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:13:17.732120991 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:17.855593920 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37740 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:13:21.149554968 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:21.273135900 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37744 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:13:22.858486891 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:22.982022047 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37745 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:13:31.734827042 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:31.858259916 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37754 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:13:32.419380903 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:32.543703079 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37755 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:13:33.564249992 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:33.687309027 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37756 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:13:43.694207907 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:13:53.719754934 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:13:54.201560974 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:13:54.325315952 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37777 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:14:01.883702040 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:14:02.007220984 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37784 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:14:09.178474903 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:14:09.301920891 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37792 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:14:19.315738916 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:14:29.330413103 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:14:34.871947050 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 27, 2024 02:14:34.995337963 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 26 Oct 2024 13:44:17 GMT Age: 37817 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 27, 2024 02:14:45.006700993 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:14:55.189150095 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:15:05.200826883 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49755	34.107.221.82	80	7688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:13:08.734224081 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	34.107.221.82	80	7688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 02:13:12.939500093 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:13.063558102 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41600 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:13:13.368659973 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:13.492633104 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41600 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:13:21.035126925 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:21.158842087 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41608 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:13:21.602055073 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:21.728933096 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41608 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:13:23.080859900 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:23.205259085 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41610 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:13:31.863486052 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:31.987186909 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41618 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:13:32.546701908 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:32.671251059 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41619 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:13:33.690526962 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:33.814167976 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41620 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:13:43.825706959 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:13:53.835495949 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:13:54.328710079 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:13:54.452861071 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41641 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:14:02.030921936 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:14:02.155149937 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41649 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:14:09.305277109 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:14:09.429400921 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41656 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:14:19.431982994 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:14:29.446409941 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:14:34.999676943 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 27, 2024 02:14:35.124382019 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 26 Oct 2024 12:39:53 GMT Age: 41682 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 27, 2024 02:14:45.144875050 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:14:55.173746109 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 27, 2024 02:15:05.185201883 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	20:12:56
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc70000
File size:	919'552 bytes
MD5 hash:	085A2D34BB54FB4307229313B154231A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1723619393.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:12:56
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x7d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:12:56
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:12:58
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x7d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:12:58
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:12:58
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x7d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:12:58
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:12:58
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x7d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:12:58
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:12:58
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x7d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:12:58
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:12:59
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:12:59
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:12:59
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	20:12:59
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9e3fb81-0d0b-4a1e-b8d8-29e002a660ae} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cc8270710 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	20:13:02
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1320 -parentBuildID 20230927232528 -prefsHandle 2692 -prefMapHandle 1060 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fde0a241-5872-4d7e-a943-4e71d11b0b1b} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cd504ae10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	20:13:12
Start date:	26/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1540 -prefMapHandle 5028 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d56f2c-6efd-41a2-b64b-1bd529b5955a} 7688 "\\.\pipe\gecko-crash-server-pipe.7688" 21cdbe8e710 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1601
Total number of Limit Nodes:	73

Executed Functions

Function 00C742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C7430D

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

GetCurrentProcess.KERNEL32(?,00D0CB64,00000000,?,?), ref: 00C74422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C74429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C74454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C74466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C74474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C7447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C744A0

Strings

kernel32.dll, xrefs: 00C7444F
|O, xrefs: 00CB36F8
GetNativeSystemInfo, xrefs: 00C74460

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4df0d509ddd696c565b81faeb01db660edeed417565cb90b4b239eaee02f3f4b
Instruction ID: 5b614e3f5bad85ee5e51c8ddaf537fa69577f2e13483201ecef15c7cdd0e3357
Opcode Fuzzy Hash: 4df0d509ddd696c565b81faeb01db660edeed417565cb90b4b239eaee02f3f4b
Instruction Fuzzy Hash: 4CA1A27E91A3C0DFC715CF69BC482E57FA46B27740F089899E055D3B62E6214A88DF32

Function 00C742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C750AA,?,?,00000000,00000000), ref: 00C742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C750AA,?,?,00000000,00000000), ref: 00C742C9
LoadResource.KERNEL32(?,00000000,?,?,00C750AA,?,?,00000000,00000000,?,?,?,?,?,?,00C74F20), ref: 00CB35BE
SizeofResource.KERNEL32(?,00000000,?,?,00C750AA,?,?,00000000,00000000,?,?,?,?,?,?,00C74F20), ref: 00CB35D3
LockResource.KERNEL32(00C750AA,?,?,00C750AA,?,?,00000000,00000000,?,?,?,?,?,?,00C74F20,?), ref: 00CB35E6

Strings

SCRIPT, xrefs: 00C742BF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 08c766dabf310ed45c7763dd6e3887f5de8abe9084d6f01fe78961c0da45f208
Instruction ID: 909b6eab030be95a6aea6ea2eae577ad105fc1d96e565a47c778dc628e043bbf
Opcode Fuzzy Hash: 08c766dabf310ed45c7763dd6e3887f5de8abe9084d6f01fe78961c0da45f208
Instruction Fuzzy Hash: 3C117C70200700BFD7258BA5DC49F677BB9EBC5B51F208269B41ADA690DB71D9108A30

Function 00CB2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C72B6B

Part of subcall function 00C73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D41418,?,00C72E7F,?,?,?,00000000), ref: 00C73A78

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D32224), ref: 00CB2C10
ShellExecuteW.SHELL32(00000000,?,?,00D32224), ref: 00CB2C17

Strings

runas, xrefs: 00CB2C0B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: f65dad97cf018deefb33522e5e1c7276ec31a781b442fd2ef96687d5b031c4f5
Instruction ID: 241f44540e7dd2d4e7e7c8b161af346cca4f9d933d07541aa86774251052c4db
Opcode Fuzzy Hash: f65dad97cf018deefb33522e5e1c7276ec31a781b442fd2ef96687d5b031c4f5
Instruction Fuzzy Hash: AF11B1312083456BC714FF60D852EBE7BA4ABA1350F44942DF09E521A2DF308A4AB722

Function 00CDD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CDD501
Process32FirstW.KERNEL32(00000000,?), ref: 00CDD50F
Process32NextW.KERNEL32(00000000,?), ref: 00CDD52F
CloseHandle.KERNELBASE(00000000), ref: 00CDD5DC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e47d50be609a314cd3cab9450926d832c13a6d4dc644c6f49ef021b2d06a82aa
Instruction ID: 5766c9b48c928733899598e79debfefa109af51c10982215364596699baebf20
Opcode Fuzzy Hash: e47d50be609a314cd3cab9450926d832c13a6d4dc644c6f49ef021b2d06a82aa
Instruction Fuzzy Hash: D231C4711083009FD300EF54D881EAFBBF8EF99354F10452DF58A862A1EB719A45DBA3

Function 00CDDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00CB5222), ref: 00CDDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00CDDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00CDDBEE
FindClose.KERNEL32(00000000), ref: 00CDDBFA

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 34e7a1e6080e90926c637cfee087c73d69f12149e622e440712f6ba4c29478d4
Instruction ID: 3fe54bee4f2712fa78e3a238b5a7497feddb19fd188cc4319c65476925c6d004
Opcode Fuzzy Hash: 34e7a1e6080e90926c637cfee087c73d69f12149e622e440712f6ba4c29478d4
Instruction Fuzzy Hash: 72F0A73083061057C2206B789C0D67E376C9E41334F104703F53AC12E1EBB0595485A9

Function 00C94CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00CA28E9,?,00C94CBE,00CA28E9,00D388B8,0000000C,00C94E15,00CA28E9,00000002,00000000,?,00CA28E9), ref: 00C94D09
TerminateProcess.KERNEL32(00000000,?,00C94CBE,00CA28E9,00D388B8,0000000C,00C94E15,00CA28E9,00000002,00000000,?,00CA28E9), ref: 00C94D10
ExitProcess.KERNEL32 ref: 00C94D22

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f73c54cbd945fe6a347b672c3db5ae17e2c95a5160552ece2ca8d193396bc16d
Instruction ID: 08d1e5c062152817e199099c446fe1c8a9fd38561ddf3db3f5a45767aa5eb69d
Opcode Fuzzy Hash: f73c54cbd945fe6a347b672c3db5ae17e2c95a5160552ece2ca8d193396bc16d
Instruction Fuzzy Hash: B7E0B636020248ABCF19AF54DD0DE583B69FB46785B108118FC19CA222CB35DE42DA90

Function 00CFAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CFB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CFB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CFB1D4
_wcslen.LIBCMT ref: 00CFB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CFB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CFB236
_wcslen.LIBCMT ref: 00CFB332

Part of subcall function 00CE05A7: GetStdHandle.KERNEL32(000000F6), ref: 00CE05C6

_wcslen.LIBCMT ref: 00CFB34B
_wcslen.LIBCMT ref: 00CFB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CFB3B6
GetLastError.KERNEL32(00000000), ref: 00CFB407
CloseHandle.KERNEL32(?), ref: 00CFB439
CloseHandle.KERNEL32(00000000), ref: 00CFB44A
CloseHandle.KERNEL32(00000000), ref: 00CFB45C
CloseHandle.KERNEL32(00000000), ref: 00CFB46E
CloseHandle.KERNEL32(?), ref: 00CFB4E3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b70395eaac7a9e1dc136b1e0c9baf2b50a9683e78d5a464591d8ad21c8c4913e
Instruction ID: 54fae65561fa22ef881ea18d1fada99ae80738d9636a7ac0ffde70c44fb9e6bf
Opcode Fuzzy Hash: b70395eaac7a9e1dc136b1e0c9baf2b50a9683e78d5a464591d8ad21c8c4913e
Instruction Fuzzy Hash: C3F1DC31608304DFCB54EF24C881B6EBBE5AF85314F18855DF9998B2A2CB31ED44CB52

Function 00C7D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C7D807
timeGetTime.WINMM ref: 00C7DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C7DB28
TranslateMessage.USER32(?), ref: 00C7DB7B
DispatchMessageW.USER32(?), ref: 00C7DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C7DB9F
Sleep.KERNELBASE(0000000A), ref: 00C7DBB1

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 57aa2deb5a488d7e17f298ddc473fbb7f40fcccef438209b1409775953d219a5
Instruction ID: edf02da61dbcca2e1acc786761e556780a2acd5e94973e0ecda878113c1d81da
Opcode Fuzzy Hash: 57aa2deb5a488d7e17f298ddc473fbb7f40fcccef438209b1409775953d219a5
Instruction Fuzzy Hash: EA42EF30608341EFD729DF25C884F6AB7F0BF86314F18865DE56A87291DB70E984DB92

Function 00C72CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C72D07
RegisterClassExW.USER32(00000030), ref: 00C72D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C72D42
InitCommonControlsEx.COMCTL32(?), ref: 00C72D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C72D6F
LoadIconW.USER32(000000A9), ref: 00C72D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C72D94

Strings

+, xrefs: 00C72CF0
AutoIt v3 GUI, xrefs: 00C72D23
0, xrefs: 00C72CE9
TaskbarCreated, xrefs: 00C72D37

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cfbdb905a2dbd7c1cfa23b8a45de5b36110827622cce87ff661d2cc93e9ccb2f
Instruction ID: e52f4bd8b6f5cd5ae41e2dcdb7f5edf751e8d9d9eedef6f4b4556537faa951a3
Opcode Fuzzy Hash: cfbdb905a2dbd7c1cfa23b8a45de5b36110827622cce87ff661d2cc93e9ccb2f
Instruction Fuzzy Hash: 3E21E3B9921308AFDB00DFA4E849BDDBBB4FB09700F10921AF515E63A0D7B10584CFA0

Function 00CB065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CB039A: CreateFileW.KERNELBASE(00000000,00000000,?,00CB0704,?,?,00000000,?,00CB0704,00000000,0000000C), ref: 00CB03B7

GetLastError.KERNEL32 ref: 00CB076F
__dosmaperr.LIBCMT ref: 00CB0776
GetFileType.KERNELBASE(00000000), ref: 00CB0782
GetLastError.KERNEL32 ref: 00CB078C
__dosmaperr.LIBCMT ref: 00CB0795
CloseHandle.KERNEL32(00000000), ref: 00CB07B5
CloseHandle.KERNEL32(?), ref: 00CB08FF
GetLastError.KERNEL32 ref: 00CB0931
__dosmaperr.LIBCMT ref: 00CB0938

Strings

H, xrefs: 00CB08BD

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b1545c61b534f9b718969ed31bbadd7b7c12fbdebb885c931e4956bf2b08f9ff
Instruction ID: 35d252043187d5f0fee43aebee6e09db6ebe08fc01dd0b1ebaf1914eae2b3321
Opcode Fuzzy Hash: b1545c61b534f9b718969ed31bbadd7b7c12fbdebb885c931e4956bf2b08f9ff
Instruction Fuzzy Hash: E5A12432A146048FDF19EF68D855BEE7BA0AB06320F24015DF815EB3E1CB319D16DBA1

Function 00C7344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D41418,?,00C72E7F,?,?,?,00000000), ref: 00C73A78

Part of subcall function 00C73357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C73379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C7356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CB318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CB31CE
RegCloseKey.ADVAPI32(?), ref: 00CB3210
_wcslen.LIBCMT ref: 00CB3277
_wcslen.LIBCMT ref: 00CB3286

Strings

Include, xrefs: 00CB3184, 00CB31C5
Software\AutoIt v3\AutoIt, xrefs: 00C73560
\, xrefs: 00CB328C
\Include\, xrefs: 00C73527

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e47fa2dac06243bafe39d7e50a427cf2c5a07bbc147e6bfe9632ea948912e1b7
Instruction ID: d64daf1729ccf115bcccbb9920660a5a4ea43a2c2fd13cc94900c88df064401e
Opcode Fuzzy Hash: e47fa2dac06243bafe39d7e50a427cf2c5a07bbc147e6bfe9632ea948912e1b7
Instruction Fuzzy Hash: 5A715A714143009FC314EF65DC8A9AABBF8FF96740F80452EF559C32A1DB309A49DB62

Function 00C72B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C72B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C72B9D
LoadIconW.USER32(00000063), ref: 00C72BB3
LoadIconW.USER32(000000A4), ref: 00C72BC5
LoadIconW.USER32(000000A2), ref: 00C72BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C72BEF
RegisterClassExW.USER32(?), ref: 00C72C40

Part of subcall function 00C72CD4: GetSysColorBrush.USER32(0000000F), ref: 00C72D07
Part of subcall function 00C72CD4: RegisterClassExW.USER32(00000030), ref: 00C72D31
Part of subcall function 00C72CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C72D42
Part of subcall function 00C72CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C72D5F
Part of subcall function 00C72CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C72D6F
Part of subcall function 00C72CD4: LoadIconW.USER32(000000A9), ref: 00C72D85
Part of subcall function 00C72CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C72D94

Strings

AutoIt v3, xrefs: 00C72C2F
0, xrefs: 00C72C0F
#, xrefs: 00C72C16

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ab7e4a198aa71f5480c4491f4807090de2376afd32b82873a4b06ad6d37593e0
Instruction ID: 844275dc04c423bf3230eb99f8657e5f3f3b444c05c4c9bb9f2fd7297e42781c
Opcode Fuzzy Hash: ab7e4a198aa71f5480c4491f4807090de2376afd32b82873a4b06ad6d37593e0
Instruction Fuzzy Hash: 6221387CE50318ABDB109FA5EC89BA97FB4FB49B50F10411AE504E67A0D3B11580CFA0

Function 00C73170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C7316A,?,?), ref: 00C731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C7316A,?,?), ref: 00C73204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C73227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C7316A,?,?), ref: 00C73232
CreatePopupMenu.USER32 ref: 00C73246
PostQuitMessage.USER32(00000000), ref: 00C73267

Strings

TaskbarCreated, xrefs: 00C7322D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b17aa2b7b6c198b723a80dda04cd3be9fe668b16e27b229401fc7adf9082b977
Instruction ID: 81a3a88e33f84c36a3b47ecab113b86fed2f2d16802695d4839a26ae68f13bb9
Opcode Fuzzy Hash: b17aa2b7b6c198b723a80dda04cd3be9fe668b16e27b229401fc7adf9082b977
Instruction Fuzzy Hash: E741F539260384A7DB155F789D0EBBD3B59E746340F148225F92EC63A3C7619B80BB72

Function 00C71410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C71459
CoUninitialize.COMBASE ref: 00C714F8
UnregisterHotKey.USER32(?), ref: 00C716DD
DestroyWindow.USER32(?), ref: 00CB24B9
FreeLibrary.KERNEL32(?), ref: 00CB251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CB254B

Strings

close all, xrefs: 00C71454

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e6d4b818123ffeb75c3a26e25e8fd4032939fae924809f2104b337f1e51a102f
Instruction ID: a606541a54664dfd7e2fa75975b225e86b310df87b4df16a583f459c91842a1f
Opcode Fuzzy Hash: e6d4b818123ffeb75c3a26e25e8fd4032939fae924809f2104b337f1e51a102f
Instruction Fuzzy Hash: 95D16D31701212CFCB29EF19C899B69F7A4BF05700F1882ADE94EAB251DB30AD16DF55

Function 00C72C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C72C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C72CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C71CAD,?), ref: 00C72CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C71CAD,?), ref: 00C72CCF

Strings

AutoIt v3, xrefs: 00C72C89, 00C72C8E, 00C72C8F
edit, xrefs: 00C72CAC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3518bade093dfa68d05583fabedc3fcb64da1e607569765a8bc4308837415415
Instruction ID: 8626de876f8b386aeefeb6af99192ee8a136d6a0905fe376f23467f90f3140c4
Opcode Fuzzy Hash: 3518bade093dfa68d05583fabedc3fcb64da1e607569765a8bc4308837415415
Instruction Fuzzy Hash: 2EF0B27D6903907BEB211F67AC4CFB72EBDD7CBF60B00105AF904E26A0C6611894DAB0

Function 00C73B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C73B0F,SwapMouseButtons,00000004,?), ref: 00C73B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C73B0F,SwapMouseButtons,00000004,?), ref: 00C73B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C73B0F,SwapMouseButtons,00000004,?), ref: 00C73B83

Strings

Control Panel\Mouse, xrefs: 00C73B3E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 375af6c398cd4b25cfd755b985d5e7ec8946e8756041823cb935ac6f8f20305a
Instruction ID: 7b6f1ca9a80fa313a4a619fffb16d62d42a03eb2cf5b9088e4fe22b57adab286
Opcode Fuzzy Hash: 375af6c398cd4b25cfd755b985d5e7ec8946e8756041823cb935ac6f8f20305a
Instruction Fuzzy Hash: A9112AB5520248FFDB208FA5DC44AEEBBBCEF04744B10855AA809D7210D2319F40A7A0

Function 00C73923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CB33A2

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C73A04

Strings

Line: , xrefs: 00CB33EB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 26ebd1a78b8882e11963f281111c4c17e61f75e7ccd5fb5b78053d5ca6ef59f2
Instruction ID: 575bc3bf0b3595a0872e4a7caa647b0889481a7b7ed44f51084166d73e13551d
Opcode Fuzzy Hash: 26ebd1a78b8882e11963f281111c4c17e61f75e7ccd5fb5b78053d5ca6ef59f2
Instruction Fuzzy Hash: 4F31C371448340ABC721EF20DC49BEFB7E8AB81710F00852AF59D831A1EB709789E7D2

Function 00C8FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C90668

Part of subcall function 00C932A4: RaiseException.KERNEL32(?,?,?,00C9068A,?,00D41444,?,?,?,?,?,?,00C9068A,00C71129,00D38738,00C71129), ref: 00C93304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C90685

Strings

Unknown exception, xrefs: 00C90692

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 94299de39a2f890293319f81330569dee202f26f95312babe72ca4c7859832fb
Instruction ID: efe71597118d783bce630cc7c172adb737dd2fbc2e4f197e01792fa700a5babe
Opcode Fuzzy Hash: 94299de39a2f890293319f81330569dee202f26f95312babe72ca4c7859832fb
Instruction Fuzzy Hash: D0F0AF34900709AB8F00BA64D84EC9E7B6C5F00314B704136B924D65D2EF71EB6AE694

Function 00C710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C71BF4
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C71BFC
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C71C07
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C71C12
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C71C1A
Part of subcall function 00C71BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C71C22

Part of subcall function 00C71B4A: RegisterWindowMessageW.USER32(00000004,?,00C712C4), ref: 00C71BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C7136A
OleInitialize.OLE32 ref: 00C71388
CloseHandle.KERNEL32(00000000,00000000), ref: 00CB24AB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 0ae3be9f0fe5cbe7f00d59cd135c314678327d3c52c467c621aa16d1e686b364
Instruction ID: cd5f7bb4d01ca6ee67b56c4c782ebf4381e53cf534cfe08e4bd0c12eaf5431e5
Opcode Fuzzy Hash: 0ae3be9f0fe5cbe7f00d59cd135c314678327d3c52c467c621aa16d1e686b364
Instruction Fuzzy Hash: 937197BC9113459FC784EF7AE8456993AF0BB8A384758822AD51EC73A1EB3084C4DF74

Function 00CDC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C73A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CDC259
KillTimer.USER32(?,00000001,?,?), ref: 00CDC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CDC270

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 4abc204d7dcf3a2e27bb258fcbfb02345ad03005220648d06335e940bf49c2eb
Instruction ID: c6908dbb8c9ddeb0b40da5a3b2a51d315ad81a86d00b4117fea51943e6689a7e
Opcode Fuzzy Hash: 4abc204d7dcf3a2e27bb258fcbfb02345ad03005220648d06335e940bf49c2eb
Instruction Fuzzy Hash: 5A319370904354AFEB329F64C895BEBBBECAB06304F04449EE6EE97341C7745A84CB51

Function 00CA86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00CA85CC,?,00D38CC8,0000000C), ref: 00CA8704
GetLastError.KERNEL32(?,00CA85CC,?,00D38CC8,0000000C), ref: 00CA870E
__dosmaperr.LIBCMT ref: 00CA8739

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 76c6908b3001fbc98ec2dcb8f171fa0d7b1952b76a328000c1b2c16a17432ad7
Instruction ID: 55ec31ae2238b373ef51fb4fa8f821b2b53c40be5abbf5c642c74e7d016d337e
Opcode Fuzzy Hash: 76c6908b3001fbc98ec2dcb8f171fa0d7b1952b76a328000c1b2c16a17432ad7
Instruction Fuzzy Hash: 7E014E3261562227EA6467346845B7E6B494BC377CF39421DF928CB1E2DEB0CD89D1A0

Function 00C7DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C7DB7B
DispatchMessageW.USER32(?), ref: 00C7DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C7DB9F
Sleep.KERNELBASE(0000000A), ref: 00C7DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00CC1CC9

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 113ed00b87b69396e0c945ecf229c94a9df78b169517e5471bfca1123806e9f5
Instruction ID: a4860986b0f29e3511af4ce35bf4f6f2f1bfcc5f306569ca7a784d4b9a12a7cd
Opcode Fuzzy Hash: 113ed00b87b69396e0c945ecf229c94a9df78b169517e5471bfca1123806e9f5
Instruction Fuzzy Hash: A5F05E306443409BE730CB61CC49FAA73B8EF85350F504619F62ED31C0DB30A5888B65

Function 00C81310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C817F6

Strings

CALL, xrefs: 00C817C6

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1d403f9ad129172fb380783dc87134a090d725a76d8dbe2d15ab6bedff6df808
Instruction ID: 3a3a6d74384129656167f63d84c13f79d83f547d0b53bef6b887df4c79baede4
Opcode Fuzzy Hash: 1d403f9ad129172fb380783dc87134a090d725a76d8dbe2d15ab6bedff6df808
Instruction Fuzzy Hash: 75229B706082419FC714EF15C480F2ABBF5BF85318F28896DF89A8B3A1D731E946DB56

Function 00C72DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00CB2C8C

Part of subcall function 00C73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C73A97,?,?,00C72E7F,?,?,?,00000000), ref: 00C73AC2

Part of subcall function 00C72DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C72DC4

Strings

X, xrefs: 00CB2C5A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: e62cb7e16793e7c5556c30f11987bcd64fcaa4072adeb15f1a60bb706d1c993f
Instruction ID: d45cd8391d8efa146946f432a043c9b39e52694baba338f68bded4960e2dbc7a
Opcode Fuzzy Hash: e62cb7e16793e7c5556c30f11987bcd64fcaa4072adeb15f1a60bb706d1c993f
Instruction Fuzzy Hash: 0A219371A00298ABDB01DF94C845BEE7BF8AF49314F008059E409B7341DBB49A89DB61

Function 00C73837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C73908

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c34f66e3fec1b55df7ed531f8841a274e0feb26919f7f9667e7620504c24a02d
Instruction ID: 023477fd1b50c0715abf371e70f1184359d7bec72229f65dfc1d9aec2ec73d8f
Opcode Fuzzy Hash: c34f66e3fec1b55df7ed531f8841a274e0feb26919f7f9667e7620504c24a02d
Instruction Fuzzy Hash: 6B315E749047419FD720DF64D889797BBE8FB49708F00092EF6A9C7390E771AA44DB62

Function 00C8F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C8F661

Part of subcall function 00C7D730: GetInputState.USER32 ref: 00C7D807

Sleep.KERNEL32(00000000), ref: 00CCF2DE

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d580d11a795caf666678ca51418238647a919f18c64392ea83182f45c4cdbec0
Instruction ID: 972b63da09549116d980afcc8d92f487939ee2bf341b6c738ae363a69ce60cc4
Opcode Fuzzy Hash: d580d11a795caf666678ca51418238647a919f18c64392ea83182f45c4cdbec0
Instruction Fuzzy Hash: CEF05831240205AFD354EB69D449B6AB7E8AF45761F004129E85EC73A0DB70A800CBA1

Function 00C7B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C7BB4E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 042baf0743e851e579d7003fa4e465b8587a2f214bbe1b04a1fa9a55c1a200be
Instruction ID: 0cc45c8fa1f884196e76d24c48feb5469ddfffeae76f16d2f4db0a15428068af
Opcode Fuzzy Hash: 042baf0743e851e579d7003fa4e465b8587a2f214bbe1b04a1fa9a55c1a200be
Instruction Fuzzy Hash: 1232AE34A00209DFDB14CF55C898FBEB7B9EF44314F288059E929AB3A1C774AE41CB61

Function 00C74ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C74E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C74EDD,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E9C
Part of subcall function 00C74E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C74EAE
Part of subcall function 00C74E90: FreeLibrary.KERNEL32(00000000,?,?,00C74EDD,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74EFD

Part of subcall function 00C74E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB3CDE,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E62
Part of subcall function 00C74E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C74E74
Part of subcall function 00C74E59: FreeLibrary.KERNEL32(00000000,?,?,00CB3CDE,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E87

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ec7bc52c9d1c5642430f87111e1bdbaf70e28c7cbb04c75808b51bd8ca7d05de
Instruction ID: 52bdce2d163d28811bb8465d9aeb4b95be72dd27f460b7f4236e72391b79481d
Opcode Fuzzy Hash: ec7bc52c9d1c5642430f87111e1bdbaf70e28c7cbb04c75808b51bd8ca7d05de
Instruction Fuzzy Hash: D811E332610205ABDF28FBA5DC06FADB7A5AF40710F20C42DF55AA61C1EFB09A05A750

Function 00CA8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00CA8440

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 70c1436894a9b3a8050033fd71745a54ee14a0171c88fe3a4c96e5fd0cbdbe36
Instruction ID: 1f9e9b45f009cbbe77c41435ce826134b1b1197f424eb2e555355efe0676386b
Opcode Fuzzy Hash: 70c1436894a9b3a8050033fd71745a54ee14a0171c88fe3a4c96e5fd0cbdbe36
Instruction Fuzzy Hash: 4111487590420AAFCF05DF58E94099E7BF8EF49304F104059F808AB312DA30DA15CBA4

Function 00CA5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CA4C7D: RtlAllocateHeap.NTDLL(00000008,00C71129,00000000,?,00CA2E29,00000001,00000364,?,?,?,00C9F2DE,00CA3863,00D41444,?,00C8FDF5,?), ref: 00CA4CBE

_free.LIBCMT ref: 00CA506C

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 8e322c329d0ec22bd7b4c1fb421180734c2e090c8a266c83c97bebf95501a275
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 550149722047066BE3318F69DC81A9AFBECFB8A374F25051DE194832C0EB70A905C7B4

Function 00C9E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 8cea720a34531d60a8e479a89c97c913c24bf2301ff471473830bde38c161e19
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 52F0F932510E18D7DE317A6ACC0DB5633989FB3334F100715F421961D1DF70D50596A5

Function 00CA4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00C71129,00000000,?,00CA2E29,00000001,00000364,?,?,?,00C9F2DE,00CA3863,00D41444,?,00C8FDF5,?), ref: 00CA4CBE

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 997692c2f24e0bbee248975d9a10fb4a5f07c4831c682eca5c4ac39f18b54dbb
Instruction ID: dafd3bd139248d38e4955f35f05f8280cf0507482384891564dd8a27b82a306f
Opcode Fuzzy Hash: 997692c2f24e0bbee248975d9a10fb4a5f07c4831c682eca5c4ac39f18b54dbb
Instruction Fuzzy Hash: 92F0E93160623667DF295F669C09F5A3788BFC37BCB144225B82DE7281CAF0D90256E0

Function 00CA3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a56ddee952476b605913dcab62e6620b9b36af40e478262577dbd86a22d3b5dd
Instruction ID: 866d3a52609bfb8c7da8ee4b990394588600250c268e796df1e09dfb5538416c
Opcode Fuzzy Hash: a56ddee952476b605913dcab62e6620b9b36af40e478262577dbd86a22d3b5dd
Instruction Fuzzy Hash: BFE0E5312012A757DB212B679C18F9A3748AF437BCF050122BC24D65C0DB18DF0292F1

Function 00C74F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74F6D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 7d855a283179ca30bf5d1e4bd572e99dca14f69aeb822e2029a54e9a06b40dd1
Instruction ID: 2deb2f6d974957dd6fab724ea96e0b492073497508c285b89f6e726a7f2f42e0
Opcode Fuzzy Hash: 7d855a283179ca30bf5d1e4bd572e99dca14f69aeb822e2029a54e9a06b40dd1
Instruction Fuzzy Hash: D3F01571105752CFDB389FA5D494822BBE4AF15329320CA6EE1EE82621C7329844DB10

Function 00D02A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D02A66

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: bf44f60ce8d9a1bfd354b5bdcab42c3382b4d5041ca618af664d3c46db7155f2
Instruction ID: 0e5d42df81ba01d883c3727a068f33b312541c27ef91c056fd0d22a49d7d6557
Opcode Fuzzy Hash: bf44f60ce8d9a1bfd354b5bdcab42c3382b4d5041ca618af664d3c46db7155f2
Instruction Fuzzy Hash: 25E04F36751156AAC724EB30DC84AFE735CEB50395B104536BD5FC2290DF30DA9596B0

Function 00C730F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C7314E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: dd6bde2691d135a080535d5f6f45835e0dbb4ece5986acf5590469c9ee8d7579
Instruction ID: 5f24d6cc25b2caa5f0f44feff5f322cc8ba1b328d52b9d8f7695a2dccd59dfa0
Opcode Fuzzy Hash: dd6bde2691d135a080535d5f6f45835e0dbb4ece5986acf5590469c9ee8d7579
Instruction Fuzzy Hash: 87F0A7749103149FEB629F24DC497D97BFCB701708F0400E5A188D6291D77057C8CF61

Function 00C72DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C72DC4

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: b5672a3ae78a9d4a982b2a3e011f024237c69c40749bee4d0398f842655397fd
Instruction ID: 04f10ee6fa2a4217f20b68c26c359413b6a359ab8b31f806f1095471f6c580f4
Opcode Fuzzy Hash: b5672a3ae78a9d4a982b2a3e011f024237c69c40749bee4d0398f842655397fd
Instruction Fuzzy Hash: A8E0C272A002245BCB20E7A89C06FEA77EDDFC8790F0441B1FD0DE7249DA60AD80D6A0

Function 00C72B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C73837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C73908

Part of subcall function 00C7D730: GetInputState.USER32 ref: 00C7D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C72B6B

Part of subcall function 00C730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C7314E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b1a7c7be478113c762b0ce8bf08a6be92cb478009bd3dbf67c3b5ef301e59393
Instruction ID: 068e3ba32594bed3797aaba6bd06e07ee2f0f8a68dac4b58912f203eea0bbee1
Opcode Fuzzy Hash: b1a7c7be478113c762b0ce8bf08a6be92cb478009bd3dbf67c3b5ef301e59393
Instruction Fuzzy Hash: 02E0862531428907C608BB75985256DA7599BE2351F40953EF14F872A3CF2446856262

Function 00CB039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00CB0704,?,?,00000000,?,00CB0704,00000000,0000000C), ref: 00CB03B7

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 15c3081a495c1870df468a51251f45774e8646cacff4452e9c353cc42b2a8bd2
Instruction ID: 23d1881f4526ff69b369550f005a504cc1f99d80e3daae29c1efc41bec482728
Opcode Fuzzy Hash: 15c3081a495c1870df468a51251f45774e8646cacff4452e9c353cc42b2a8bd2
Instruction Fuzzy Hash: 39D06C3205020DBBDF028F84DD06EDA3BAAFB48714F014100BE1896120C732E821AB91

Function 00C71CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C71CBC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 6d80b83f00e0eb521ce72bed26f5a06296b2c97d8f68b5c2e88e528690c4d2e5
Instruction ID: ca03f083ddd8170613e165edba02b14773cb1a39e48944a523c67aed772ff7b8
Opcode Fuzzy Hash: 6d80b83f00e0eb521ce72bed26f5a06296b2c97d8f68b5c2e88e528690c4d2e5
Instruction Fuzzy Hash: 65C0923E280304AFF2148F80BC4EF2077A4A349F00F448001F60DE9BE3C3A22860EA70

Non-executed Functions

Function 00D09576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D0961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D0965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D0969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D096C9
SendMessageW.USER32 ref: 00D096F2
GetKeyState.USER32(00000011), ref: 00D0978B
GetKeyState.USER32(00000009), ref: 00D09798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D097AE
GetKeyState.USER32(00000010), ref: 00D097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D097E9
SendMessageW.USER32 ref: 00D09810
SendMessageW.USER32(?,00001030,?,00D07E95), ref: 00D09918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D0992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D09941
SetCapture.USER32(?), ref: 00D0994A
ClientToScreen.USER32(?,?), ref: 00D099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D099D6
ReleaseCapture.USER32 ref: 00D099E1
GetCursorPos.USER32(?), ref: 00D09A19
ScreenToClient.USER32(?,?), ref: 00D09A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D09A80
SendMessageW.USER32 ref: 00D09AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D09AEB
SendMessageW.USER32 ref: 00D09B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D09B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D09B4A
GetCursorPos.USER32(?), ref: 00D09B68
ScreenToClient.USER32(?,?), ref: 00D09B75
GetParent.USER32(?), ref: 00D09B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D09BFA
SendMessageW.USER32 ref: 00D09C2B
ClientToScreen.USER32(?,?), ref: 00D09C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D09CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D09CDE
SendMessageW.USER32 ref: 00D09D01
ClientToScreen.USER32(?,?), ref: 00D09D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D09D82

Part of subcall function 00C89944: GetWindowLongW.USER32(?,000000EB), ref: 00C89952

GetWindowLongW.USER32(?,000000F0), ref: 00D09E05

Strings

F, xrefs: 00D09D07
@GUI_DRAGID, xrefs: 00D0997D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 2926d00cdd158aa4c536a358d6bf456f3c56b64d4c18de45892d6ab1067ed920
Instruction ID: 2dc51838cdf4a726cb4496b751f5b5a01cd26fa77a3ed4adb4d07516ab6a34f2
Opcode Fuzzy Hash: 2926d00cdd158aa4c536a358d6bf456f3c56b64d4c18de45892d6ab1067ed920
Instruction Fuzzy Hash: DA426A35608301AFD724CF24CC64BAABBE5EF89310F584619F699872E2D772E851CB61

Function 00D04873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D04908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D04927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D0494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D0495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D0497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D04A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D04A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D04A7E
IsMenu.USER32(?), ref: 00D04A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D04AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D04B20
GetWindowLongW.USER32(?,000000F0), ref: 00D04B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D04BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D04C82
wsprintfW.USER32 ref: 00D04CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D04CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D04CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D04D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D04D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D04D5A

Strings

%d/%02d/%02d, xrefs: 00D04CA8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8594bc274975945773a7f5a507a115745be82f97da483c7e7a49242b479cdc25
Instruction ID: 786b45e15b7bb4fc423d3167a96318fb0fbb935b4993ec506f85912913cadeb4
Opcode Fuzzy Hash: 8594bc274975945773a7f5a507a115745be82f97da483c7e7a49242b479cdc25
Instruction Fuzzy Hash: 1A12CFB1600215ABEB249F24CC49FAE7BF8EF85714F148229F619DB2E1DB74D941CB60

Function 00C8F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C8F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CCF474
IsIconic.USER32(00000000), ref: 00CCF47D
ShowWindow.USER32(00000000,00000009), ref: 00CCF48A
SetForegroundWindow.USER32(00000000), ref: 00CCF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CCF4AA
GetCurrentThreadId.KERNEL32 ref: 00CCF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CCF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CCF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CCF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00CCF4DE
SetForegroundWindow.USER32(00000000), ref: 00CCF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCF4F6
keybd_event.USER32(00000012,00000000), ref: 00CCF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCF50B
keybd_event.USER32(00000012,00000000), ref: 00CCF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCF519
keybd_event.USER32(00000012,00000000), ref: 00CCF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCF528
keybd_event.USER32(00000012,00000000), ref: 00CCF52D
SetForegroundWindow.USER32(00000000), ref: 00CCF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00CCF557

Strings

Shell_TrayWnd, xrefs: 00CCF46F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 86d0054a7e40a5c9e838174365f3f79e5ee921630b07c2b09e0cecc82b82321f
Instruction ID: 804d30406219f618e777305ce8a387a67c39ae157552a1474afcf30e8351cbec
Opcode Fuzzy Hash: 86d0054a7e40a5c9e838174365f3f79e5ee921630b07c2b09e0cecc82b82321f
Instruction Fuzzy Hash: 29317471A50318BFEB206BB59C4AFBF7E6DEB44B50F101129F604E62D1C6B19D01AA70

Function 00CD1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00CD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD170D
Part of subcall function 00CD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD173A
Part of subcall function 00CD16C3: GetLastError.KERNEL32 ref: 00CD174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00CD1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00CD12A8
CloseHandle.KERNEL32(?), ref: 00CD12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CD12D1
GetProcessWindowStation.USER32 ref: 00CD12EA
SetProcessWindowStation.USER32(00000000), ref: 00CD12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CD1310

Part of subcall function 00CD10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CD11FC), ref: 00CD10D4
Part of subcall function 00CD10BF: CloseHandle.KERNEL32(?,?,00CD11FC), ref: 00CD10E9

Strings

winsta0, xrefs: 00CD12CC
, xrefs: 00CD125A
default, xrefs: 00CD130B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: ca63d53e4bf2aee93510d6d0028e8febcd72bb378e4a7838b3b2704a55b1d656
Instruction ID: d8c2b10908464ddb995675c5bd187a21a1b27ac77342172d32a9f2177694f4d2
Opcode Fuzzy Hash: ca63d53e4bf2aee93510d6d0028e8febcd72bb378e4a7838b3b2704a55b1d656
Instruction Fuzzy Hash: 69818C71900309BFDF219FA5DC49BEE7BB9EF04704F18412AFA24E62A0C7719A45CB61

Function 00CD0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD1114
Part of subcall function 00CD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1120
Part of subcall function 00CD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD112F
Part of subcall function 00CD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1136
Part of subcall function 00CD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CD0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CD0C00
GetLengthSid.ADVAPI32(?), ref: 00CD0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00CD0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CD0C6D
GetLengthSid.ADVAPI32(?), ref: 00CD0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CD0C8C
HeapAlloc.KERNEL32(00000000), ref: 00CD0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CD0CB4
CopySid.ADVAPI32(00000000), ref: 00CD0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CD0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CD0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CD0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0D45
HeapFree.KERNEL32(00000000), ref: 00CD0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0D55
HeapFree.KERNEL32(00000000), ref: 00CD0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0D65
HeapFree.KERNEL32(00000000), ref: 00CD0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CD0D78
HeapFree.KERNEL32(00000000), ref: 00CD0D7F

Part of subcall function 00CD1193: GetProcessHeap.KERNEL32(00000008,00CD0BB1,?,00000000,?,00CD0BB1,?), ref: 00CD11A1
Part of subcall function 00CD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CD0BB1,?), ref: 00CD11A8
Part of subcall function 00CD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CD0BB1,?), ref: 00CD11B7

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fabfddb38af91a1aed96537b75d7339efcf13e9d1e9a29627e9bb32e960f8edc
Instruction ID: 5eb266cd0ecf7e8eb4c723902dd198cbaed006ca80f3b15016284c7fc7d77e65
Opcode Fuzzy Hash: fabfddb38af91a1aed96537b75d7339efcf13e9d1e9a29627e9bb32e960f8edc
Instruction Fuzzy Hash: 44714E7190020AAFDF10DFA8DC44FAEBBB9BF05310F14461AEA19E7291D771AA05CB71

Function 00CEEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D0CC08), ref: 00CEEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00CEEB37
GetClipboardData.USER32(0000000D), ref: 00CEEB43
CloseClipboard.USER32 ref: 00CEEB4F
GlobalLock.KERNEL32(00000000), ref: 00CEEB87
CloseClipboard.USER32 ref: 00CEEB91
GlobalUnlock.KERNEL32(00000000), ref: 00CEEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00CEEBC9
GetClipboardData.USER32(00000001), ref: 00CEEBD1
GlobalLock.KERNEL32(00000000), ref: 00CEEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00CEEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00CEEC38
GetClipboardData.USER32(0000000F), ref: 00CEEC44
GlobalLock.KERNEL32(00000000), ref: 00CEEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00CEEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CEEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CEECD2
GlobalUnlock.KERNEL32(00000000), ref: 00CEECF3
CountClipboardFormats.USER32 ref: 00CEED14
CloseClipboard.USER32 ref: 00CEED59

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f293ce92c115273389bcba6b00cef70f556cf5d22e2a88a761e4793858536487
Instruction ID: 50073c05e46188a19af8fb38dd9e02eb09c265e24dbd4f5f504f4163c773b3ae
Opcode Fuzzy Hash: f293ce92c115273389bcba6b00cef70f556cf5d22e2a88a761e4793858536487
Instruction Fuzzy Hash: 6961DF34204381AFD310EF25D885F6A77A4EF84744F149619F46AD72A2DB31EE09DB62

Function 00CE698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CE69BE
FindClose.KERNEL32(00000000), ref: 00CE6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CE6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CE6A75

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00CE6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CE6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00CE6B6A
%02d, xrefs: 00CE6C00, 00CE6C0A, 00CE6C5A, 00CE6CAA, 00CE6CFA, 00CE6D4A
%4d, xrefs: 00CE6BB1
%03d, xrefs: 00CE6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00CE6B32

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: fc271c404f87953cf1e686e554bdf57e78875192cf0c2faeafc17658de60faea
Instruction ID: 3dd6beef4d3afe23c26202dae1cdb767865b9d4c8bd68620df486098e100f6a5
Opcode Fuzzy Hash: fc271c404f87953cf1e686e554bdf57e78875192cf0c2faeafc17658de60faea
Instruction Fuzzy Hash: D6D14F72508340AFC710EBA5C882EAFB7ECAF99704F04491DF599C7291EB74DA44DB62

Function 00CE9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CE9663
GetFileAttributesW.KERNEL32(?), ref: 00CE96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00CE96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00CE96D3
FindClose.KERNEL32(00000000), ref: 00CE96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00CE96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE974A
SetCurrentDirectoryW.KERNEL32(00D36B7C), ref: 00CE9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE9772
FindClose.KERNEL32(00000000), ref: 00CE977F
FindClose.KERNEL32(00000000), ref: 00CE978F

Strings

*.*, xrefs: 00CE96F5

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: f58d9924d2d39fd990a31d2441ccceffe4cd0b1a45adf092ab324b2a2d132bea
Instruction ID: e11590552f02f2f83008eed45afedc5e88b66c8ba2f7f8ebadb964ac025a10e5
Opcode Fuzzy Hash: f58d9924d2d39fd990a31d2441ccceffe4cd0b1a45adf092ab324b2a2d132bea
Instruction Fuzzy Hash: 4D31F3325106597EDF24AFB6DC09BDE77ACEF09320F104166F818E21A1DB30DE488E24

Function 00CE979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CE97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00CE9819
FindClose.KERNEL32(00000000), ref: 00CE9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00CE9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE9890
SetCurrentDirectoryW.KERNEL32(00D36B7C), ref: 00CE98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE98B8
FindClose.KERNEL32(00000000), ref: 00CE98C5
FindClose.KERNEL32(00000000), ref: 00CE98D5

Part of subcall function 00CDDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CDDB00

Strings

*.*, xrefs: 00CE983B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c8ca9aacbb697887df8574e2a1b93b28b68aab664552211ba2269582bad0f143
Instruction ID: 81962bb19a41f9f4c24a66abbd1e5a9bb9f4b9c423049f3c52f95df04fb3cc54
Opcode Fuzzy Hash: c8ca9aacbb697887df8574e2a1b93b28b68aab664552211ba2269582bad0f143
Instruction Fuzzy Hash: 1831B2325006596EDF24EFB6EC48ADE77ACDF06320F148155E928E21E1DB30DE89CB64

Function 00CFBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFB6AE,?,?), ref: 00CFC9B5
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFC9F1
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA68
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CFBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00CFBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CFC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CFC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CFC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CFC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CFC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CFC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CFC382
RegCloseKey.ADVAPI32(00000000), ref: 00CFC38F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 75ca56fb110c6241a3d4ada9cc4947d5052776a58f9db41906d94f94815e057e
Instruction ID: dfe887300ba2d795cfe9ad732a8ef579cf317eb8032efae650872675371a82ae
Opcode Fuzzy Hash: 75ca56fb110c6241a3d4ada9cc4947d5052776a58f9db41906d94f94815e057e
Instruction Fuzzy Hash: 9E025B716042049FD754CF28C991E2ABBE5EF89308F18C49DF95ACB2A2DB31ED45CB52

Function 00CE8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CE8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CE8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CE8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CE8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CE838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8395

Strings

*.*, xrefs: 00CE839B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 9e37df39ebc2d7995701cf081b037221f2684146a4c8e3f5e38bf12822c8815e
Instruction ID: a192b0225cc9334e802cab4e61d50f2309340ef564805ce939a1ed2d6608b9bc
Opcode Fuzzy Hash: 9e37df39ebc2d7995701cf081b037221f2684146a4c8e3f5e38bf12822c8815e
Instruction Fuzzy Hash: B76188725043459FCB10EF65C881AAEB3E8FF89314F04891EF99D97251DB31EA49CB92

Function 00CDD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C73A97,?,?,00C72E7F,?,?,?,00000000), ref: 00C73AC2

Part of subcall function 00CDE199: GetFileAttributesW.KERNEL32(?,00CDCF95), ref: 00CDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CDD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00CDD1DD
MoveFileW.KERNEL32(?,?), ref: 00CDD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CDD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CDD237

Part of subcall function 00CDD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00CDD21C,?,?), ref: 00CDD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00CDD253
FindClose.KERNEL32(00000000), ref: 00CDD264

Strings

\*.*, xrefs: 00CDD0CD, 00CDD0D6, 00CDD0EB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 80e44c38ba02fcc480198a0dfd8640b4d3480677da2ecbcc9fdf5486b35b1961
Instruction ID: 2ba0cb924ba8cb1ab3a7e1ef75b8f427a817950920e86c352c2bcd9193655004
Opcode Fuzzy Hash: 80e44c38ba02fcc480198a0dfd8640b4d3480677da2ecbcc9fdf5486b35b1961
Instruction Fuzzy Hash: 3C614E31C0114DAACF05EBE0D992DEDB7B5AF55300F248166E516772A2EB306F09EB61

Function 00CEED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CEED91
EmptyClipboard.USER32 ref: 00CEED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00CEEDAC
CloseClipboard.USER32 ref: 00CEEEA3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 61c46c6f285b8b8977a6e275d6678408bc7dc7a53e52ed6dfb654dc0d285c1f4
Instruction ID: b611a1f0723e28e7896bd7798383d7b9472840282e2b5c3f189821a441051d1a
Opcode Fuzzy Hash: 61c46c6f285b8b8977a6e275d6678408bc7dc7a53e52ed6dfb654dc0d285c1f4
Instruction Fuzzy Hash: F941CD35604651AFE320DF26D888B19BBE1FF44358F14C199E429CB7A2C736EE41CBA0

Function 00CDE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD170D
Part of subcall function 00CD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD173A
Part of subcall function 00CD16C3: GetLastError.KERNEL32 ref: 00CD174A

ExitWindowsEx.USER32(?,00000000), ref: 00CDE932

Strings

SeShutdownPrivilege, xrefs: 00CDE902
@, xrefs: 00CDE925
, xrefs: 00CDE95C
, xrefs: 00CDE920

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 0ed2480e97bca9c557d5332122974a0481b63ebebc46af3c9aff17d08202fd09
Instruction ID: 15c6a2261f438ae6b4df7a22ceaecdcb644abc2692ed65eeaf2068796b07d992
Opcode Fuzzy Hash: 0ed2480e97bca9c557d5332122974a0481b63ebebc46af3c9aff17d08202fd09
Instruction Fuzzy Hash: 7E012672621311BBEB2433B59C9ABFF725C9704750F180923FE12E63D1D5A05D4481A0

Function 00CF1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CF1276
WSAGetLastError.WSOCK32 ref: 00CF1283
bind.WSOCK32(00000000,?,00000010), ref: 00CF12BA
WSAGetLastError.WSOCK32 ref: 00CF12C5
closesocket.WSOCK32(00000000), ref: 00CF12F4
listen.WSOCK32(00000000,00000005), ref: 00CF1303
WSAGetLastError.WSOCK32 ref: 00CF130D
closesocket.WSOCK32(00000000), ref: 00CF133C

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ea0eb021e866b4783e644f576c4d583d30f8ae733aad55e33b4a5cf93519883f
Instruction ID: 4960358807edae1f77e8c0451e1af2325cd673861052c217e52761de93810d40
Opcode Fuzzy Hash: ea0eb021e866b4783e644f576c4d583d30f8ae733aad55e33b4a5cf93519883f
Instruction Fuzzy Hash: 4F417F31600245DFD750DF68C488B29BBE5AF46318F18C198E96A9F3A2C771ED85CBA1

Function 00CDD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C73A97,?,?,00C72E7F,?,?,?,00000000), ref: 00C73AC2

Part of subcall function 00CDE199: GetFileAttributesW.KERNEL32(?,00CDCF95), ref: 00CDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CDD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CDD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CDD481
FindClose.KERNEL32(00000000), ref: 00CDD498
FindClose.KERNEL32(00000000), ref: 00CDD4A1

Strings

\*.*, xrefs: 00CDD3F2

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2290501dbbbc4ff31c071c7fe0a24c82a9cbadb559558aeb53d12eb495ba7dee
Instruction ID: 4bf194489c6f49fbbe51736788dec485f6bc6fce60f913a31931ae7b25cbe38f
Opcode Fuzzy Hash: 2290501dbbbc4ff31c071c7fe0a24c82a9cbadb559558aeb53d12eb495ba7dee
Instruction Fuzzy Hash: DF3184314183459FC300EF64C8919AF77A8BE91314F449E1EF5DA932A1EB30AA09D763

Function 00CAE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CAE645

Strings

1#SNAN, xrefs: 00CAF844
1#QNAN, xrefs: 00CAF84B
1#IND, xrefs: 00CAF83D
1#INF, xrefs: 00CAF852

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7cffa3a26d057b7b4822eaaa8ad0a1ef95f9a7b7fbc843875f6dd95863eaeba6
Instruction ID: 8ca79032775263f25b9fd4853118f3d2c4bbe2e0ff690951c1668eee8503a701
Opcode Fuzzy Hash: 7cffa3a26d057b7b4822eaaa8ad0a1ef95f9a7b7fbc843875f6dd95863eaeba6
Instruction Fuzzy Hash: 05C25D71E0462A8FDF25CE68DD447EAB7B5EB46308F1441EAD45DE7240E774AE828F80

Function 00CE648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CE64DC
CoInitialize.OLE32(00000000), ref: 00CE6639
CoCreateInstance.OLE32(00D0FCF8,00000000,00000001,00D0FB68,?), ref: 00CE6650
CoUninitialize.OLE32 ref: 00CE68D4

Strings

.lnk, xrefs: 00CE64BA, 00CE6524, 00CE65E0

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bd4e945b558dc76b5d6719f0b44860647dbabd49dd064d1ba21a3122356de5ba
Instruction ID: 3eec1850809da67867602550423ec1cd8f5dd356c1f72b9bd0cef5b61346c67b
Opcode Fuzzy Hash: bd4e945b558dc76b5d6719f0b44860647dbabd49dd064d1ba21a3122356de5ba
Instruction Fuzzy Hash: E2D15B716183419FC314DF25C881E6BB7E8FF95344F10896DF5998B2A1DB30E909CBA2

Function 00CF22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CF22E8

Part of subcall function 00CEE4EC: GetWindowRect.USER32(?,?), ref: 00CEE504

GetDesktopWindow.USER32 ref: 00CF2312
GetWindowRect.USER32(00000000), ref: 00CF2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CF2355
GetCursorPos.USER32(?), ref: 00CF2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CF23DF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 15c84b4731af0b17541ac19e68e32bc96949a5c2cd2586cdc7abd7cb4c3eef8e
Instruction ID: ea0c24878697a616cc33b5a7cb561186e5054668359d99345bd5de7086197eea
Opcode Fuzzy Hash: 15c84b4731af0b17541ac19e68e32bc96949a5c2cd2586cdc7abd7cb4c3eef8e
Instruction Fuzzy Hash: 5231B0B25053199BC720DF55D849FABBBA9FB84314F000A19F699D7291D734EA08CB92

Function 00CE9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CE9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CE9C8B

Part of subcall function 00CE3874: GetInputState.USER32 ref: 00CE38CB
Part of subcall function 00CE3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CE9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CE9C75

Strings

*.*, xrefs: 00CE9B5D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 50e4f4303bc0ebaa0519e87dc0d5f409086a1b52ddd893285786c8bdba98327b
Instruction ID: f3dc9848b6c0a03beb3d15349c809b343251050f52e7e00779211dc98d272554
Opcode Fuzzy Hash: 50e4f4303bc0ebaa0519e87dc0d5f409086a1b52ddd893285786c8bdba98327b
Instruction Fuzzy Hash: 8A41837190024AAFCF24EF65C849AEEBBB8EF05310F248155E419A3191EB309F84DF61

Function 00C8997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C89A4E
GetSysColor.USER32(0000000F), ref: 00C89B23
SetBkColor.GDI32(?,00000000), ref: 00C89B36

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: a395b68411d19f0129c2beee1ea81a3197542b04253ae6808cea9318014d4098
Instruction ID: ae69229c5ed83241ed21edce1f788c64407cec6e94fd6c106501cccdaa8956ea
Opcode Fuzzy Hash: a395b68411d19f0129c2beee1ea81a3197542b04253ae6808cea9318014d4098
Instruction Fuzzy Hash: 61A10B70208504BFE72DBA2DCC59FBB269DEB42348B18031DF522D6AD1CA359E41E779

Function 00CF1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CF307A
Part of subcall function 00CF304E: _wcslen.LIBCMT ref: 00CF309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CF185D
WSAGetLastError.WSOCK32 ref: 00CF1884
bind.WSOCK32(00000000,?,00000010), ref: 00CF18DB
WSAGetLastError.WSOCK32 ref: 00CF18E6
closesocket.WSOCK32(00000000), ref: 00CF1915

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9d8bc87e9929b034905a2e74bef6c44a310e9370c4c4e38a3e05ae1c864e20f9
Instruction ID: ac117bf90ccec2dae2e65db116cd253d368444954e05cf35ed38022f142e248e
Opcode Fuzzy Hash: 9d8bc87e9929b034905a2e74bef6c44a310e9370c4c4e38a3e05ae1c864e20f9
Instruction Fuzzy Hash: 6951B271A00204AFDB50AF24C886F3A77E5AB44718F18C15CFA1A9F3D3D771AD419BA1

Function 00D01C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D01CC0
IsWindowEnabled.USER32 ref: 00D01CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D01CDB
IsIconic.USER32 ref: 00D01CE9
IsZoomed.USER32 ref: 00D01CF7

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c9ab2dc34deb03c67e0ea16742c6968e827ba65e9f865e30aab7f0a6f8c261cb
Instruction ID: dcedbc033c76a83874dbca9e2f0570d231366641dc6d213abf0c51385d0eee42
Opcode Fuzzy Hash: c9ab2dc34deb03c67e0ea16742c6968e827ba65e9f865e30aab7f0a6f8c261cb
Instruction Fuzzy Hash: 73215E357412115FE7208F2AC884B6ABBA5FF95315B5D9068E84ECB391CB71EC42CBB4

Function 00C78060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C783E8
VUUU, xrefs: 00C7843C
VUUU, xrefs: 00CB5DF0
VUUU, xrefs: 00C783FA
ERCP, xrefs: 00C7813C

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 135ced6ecddd028e1d6e8d7f0b76eb02af3072d87f2587876420759ed34dcee1
Instruction ID: 83b99a15e72dc0a50cc4e9d07101c04139fd4949e81b2238ecc308a2e989b113
Opcode Fuzzy Hash: 135ced6ecddd028e1d6e8d7f0b76eb02af3072d87f2587876420759ed34dcee1
Instruction Fuzzy Hash: A7A2A170E4061ACBDF24CF59C8447EEB7B1BF54310F2481AAE929A7285DB749E85CF90

Function 00CDAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00CDAAAC
SetKeyboardState.USER32(00000080), ref: 00CDAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00CDAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00CDAB88

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: dccc52e70923ac32d9cbdafa31f8b0cbedae017f13fd511a86acece433b9d4ba
Instruction ID: d3af0d4c6c937e529488b14385c010b8ded38d8b89947cb806ced38cd094e092
Opcode Fuzzy Hash: dccc52e70923ac32d9cbdafa31f8b0cbedae017f13fd511a86acece433b9d4ba
Instruction Fuzzy Hash: 8B311630A40208BFFB358B658C05BFA7BA6AB45310F04431BF2A5963E0D3758A82D766

Function 00CABB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CABB7F

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

GetTimeZoneInformation.KERNEL32 ref: 00CABB91
WideCharToMultiByte.KERNEL32(00000000,?,00D4121C,000000FF,?,0000003F,?,?), ref: 00CABC09
WideCharToMultiByte.KERNEL32(00000000,?,00D41270,000000FF,?,0000003F,?,?,?,00D4121C,000000FF,?,0000003F,?,?), ref: 00CABC36

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: c978db01f25c742cc41d93edc3635253aad8914b53c9876a142d55fccac01163
Instruction ID: 946756bc4204d39c1394a9f401b702094fb311a291a8a63c514d747525a06027
Opcode Fuzzy Hash: c978db01f25c742cc41d93edc3635253aad8914b53c9876a142d55fccac01163
Instruction Fuzzy Hash: 6E31CF74904306DFCB10DF69DC81969BBB8FF47328B1442AAE025D73A2D7709E80DB64

Function 00CECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00CECE89
GetLastError.KERNEL32(?,00000000), ref: 00CECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00CECEFE

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: da8c6e7e4f69a1602a83d24c4365e1560b3a11c96f95d6eabe9a675250e21f0f
Instruction ID: c8f4c85e64bc06627adf620fb0e849ca6169342ae892d22a830552fa244d4829
Opcode Fuzzy Hash: da8c6e7e4f69a1602a83d24c4365e1560b3a11c96f95d6eabe9a675250e21f0f
Instruction Fuzzy Hash: 3321BAB1900305AFEB20DFA6C989BAAB7F8EB50314F10441EE556E2251E770EE069B64

Function 00CD8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CD82AA

Strings

(, xrefs: 00CD82F0
|, xrefs: 00CD82DA

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d540c2f640c9b418ddaa26ea69a69066f2390f5947550bf1c359b75c1eab0987
Instruction ID: 2a8f0c13751035a234515ec66d8da92ed89a9fb8d4ae373f19ffdd15e03cc446
Opcode Fuzzy Hash: d540c2f640c9b418ddaa26ea69a69066f2390f5947550bf1c359b75c1eab0987
Instruction Fuzzy Hash: BD323674A007059FCB28DF19C481A6AB7F0FF48720B15C56EE5AADB3A1EB70E941CB54

Function 00CE5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CE5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00CE5D17
FindClose.KERNEL32(?), ref: 00CE5D5F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f130ef684b28411121d2c2beaba387a2efe034fbe98a4c54f380cd70a8018d33
Instruction ID: 6d7cae7b7742e79740179e75b517734e8a549e43a0fa1b96512803adc6ce4e24
Opcode Fuzzy Hash: f130ef684b28411121d2c2beaba387a2efe034fbe98a4c54f380cd70a8018d33
Instruction Fuzzy Hash: B351AC34604A419FC714DF29C894A9AB7E4FF49318F14855DE96A8B3A2CB30EE04CB91

Function 00CA2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CA271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CA2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00CA2731

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a3a226bd4798539a69b552a68897c704e16f436259f30c0c0c161cf9f0c68422
Instruction ID: b559c1afabae6e62290c19875e8a3adb6651b1ade10fec7b8b14f8f4259af48b
Opcode Fuzzy Hash: a3a226bd4798539a69b552a68897c704e16f436259f30c0c0c161cf9f0c68422
Instruction Fuzzy Hash: 8331C674911328ABCB21DF68DC88798B7B8BF08310F5041DAE81CA7260E7309F819F54

Function 00CE51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CE51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CE5238
SetErrorMode.KERNEL32(00000000), ref: 00CE52A1

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c1eef29e85b505ae61ee4dfdf91b5571f93b5451757fb7ca503b0a5002d6686e
Instruction ID: a76789d7bf2151e524bdfee5037d190473cff3b287eddd44fe97b792389baaf4
Opcode Fuzzy Hash: c1eef29e85b505ae61ee4dfdf91b5571f93b5451757fb7ca503b0a5002d6686e
Instruction Fuzzy Hash: 87318075A00608DFDB00DF55D884FADBBB4FF09318F048099E9099B392CB31E845CBA1

Function 00CD16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C90668
Part of subcall function 00C8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C90685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD173A
GetLastError.KERNEL32 ref: 00CD174A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 70d5f981eaf0274238b9e05beacac4ef3d6d220a05070f8f0036ae2be2f373e6
Instruction ID: 2e0280059a3658b1a9d378b6205ef0eb78a2e841f3116f11877660849788e95a
Opcode Fuzzy Hash: 70d5f981eaf0274238b9e05beacac4ef3d6d220a05070f8f0036ae2be2f373e6
Instruction Fuzzy Hash: 6B11BCB2410304BFE728AF64DC86E6BB7BDEB04714B24852EE55692251EB70BC428B24

Function 00CDD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CDD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00CDD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CDD650

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0f391cf7f7b1c29e51d08cb680d47998e7719816473a39f50021234d74a3f6c7
Instruction ID: b26a53a0122f7c904c266912eccae687eb1ba3c9cde6bcb8d4869c37becebae1
Opcode Fuzzy Hash: 0f391cf7f7b1c29e51d08cb680d47998e7719816473a39f50021234d74a3f6c7
Instruction Fuzzy Hash: AE117C71E01328BBDB108FA59C44FAFBBBCEB45B50F108156F918E7390D2704A018BA1

Function 00CD1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00CD168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CD16A1
FreeSid.ADVAPI32(?), ref: 00CD16B1

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 70dca1218a268adc3ea710e2c6af0def34cc212911a4f0373cdbebbb77673d1f
Instruction ID: 26cbe2ffa047b56e8b9f58c69b32df65ca45e312fcc2843fe6c816cb4ca3d13f
Opcode Fuzzy Hash: 70dca1218a268adc3ea710e2c6af0def34cc212911a4f0373cdbebbb77673d1f
Instruction Fuzzy Hash: AFF0F471950309FBEB00DFE49D89AAEBBBCEB08604F504565E901E2281E774AA448A60

Function 00CCD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00CCD28C

Strings

X64, xrefs: 00CCD2A8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f0ed4f37327d08aa803ad0849d0318fab003917d5bac094676ce0d5622b8e9ce
Instruction ID: 484e2aacc7c165cf725fa694e9daf164a4b8d9c36dd7c2d51d4364ef89e8084a
Opcode Fuzzy Hash: f0ed4f37327d08aa803ad0849d0318fab003917d5bac094676ce0d5622b8e9ce
Instruction Fuzzy Hash: F2D0C9B481111DEACB94DB90DCC8ED9B37CBB04305F100295F10AE2140D73095498F20

Function 00C9CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 889f6a180275049e092e9c36b78680d9f1481ff33b9fe0134d5df2df4ed5f887
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 2F021C72E002199FDF14CFA9C9C46ADFBF1EF48314F25816AD829E7384D731AA418B94

Function 00CE68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CE6918
FindClose.KERNEL32(00000000), ref: 00CE6961

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 47326caccc2fbbf6d6fd0941d41d205c0d6cd39ba69ebd695b9a17d923247c60
Instruction ID: 68ca60cb8f8ce02afc266f42f878ee664ceb085cd91ec6fffa4cfaeeb3763274
Opcode Fuzzy Hash: 47326caccc2fbbf6d6fd0941d41d205c0d6cd39ba69ebd695b9a17d923247c60
Instruction Fuzzy Hash: CF118E316142419FC710DF6AD484A1ABBE5FF85328F14C699E4698F7A2C730EC05CB91

Function 00CE37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CF4891,?,?,00000035,?), ref: 00CE37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CF4891,?,?,00000035,?), ref: 00CE37F4

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: dcfec0dd66b16a03b1d507f1787da0e37d6e4c93165e6aee026c3f7b4bb1bf97
Instruction ID: 1afdc0795ac04a8b9f8e7652d3becc67b3f94fba8e653a57d1d1141d10daad6e
Opcode Fuzzy Hash: dcfec0dd66b16a03b1d507f1787da0e37d6e4c93165e6aee026c3f7b4bb1bf97
Instruction Fuzzy Hash: B9F0A0B06053682AEA2057A78C4DFEB3AAEEFC5761F000265B509D22D1D9609904C6B0

Function 00CDB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00CDB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00CDB270

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 8849233c6608e8d8dcbc5ede5bb557f9c28c62b91ab8ef5da3eb58e804b021e8
Instruction ID: 7fa38fcebb63dc3367abfba50d4fa6c93338240af3e81856e6cfd7357634d69f
Opcode Fuzzy Hash: 8849233c6608e8d8dcbc5ede5bb557f9c28c62b91ab8ef5da3eb58e804b021e8
Instruction Fuzzy Hash: 72F01D7581424EABDB059FA1C805BAE7BB4FF04305F00900AF965A5292C37986119FA4

Function 00CD10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CD11FC), ref: 00CD10D4
CloseHandle.KERNEL32(?,?,00CD11FC), ref: 00CD10E9

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 55086096288fe8a1e97214d1476e98b2c0eb9c33e4056f663b41c1cf30b017b9
Instruction ID: 3225818441f484e3cbe468e0b4c326798261d96629d5acbb809510009ccf32c2
Opcode Fuzzy Hash: 55086096288fe8a1e97214d1476e98b2c0eb9c33e4056f663b41c1cf30b017b9
Instruction Fuzzy Hash: 48E04F32014700EEE7252B11FC05F7377A9EB04310B14892EF5A5805B1DB62ACA0EB24

Function 00C7CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00CC0C40

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 4094139804e1bee53b11fa1135ff39a4e7e22962d2cafbf52f5fdff5455386d8
Instruction ID: a4a7e0e3174b7f6a4623e088e8cb90953a3d25ba12abd370a370d0a8f1a7fac1
Opcode Fuzzy Hash: 4094139804e1bee53b11fa1135ff39a4e7e22962d2cafbf52f5fdff5455386d8
Instruction Fuzzy Hash: A3328B70900219DBDF14DF94C885FEDB7B5BF05308F24806DE81AAB292D735AE46DB61

Function 00CA676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CA6766,?,?,00000008,?,?,00CAFEFE,00000000), ref: 00CA6998

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5b740cf1d799c853502034ff7bde98dcc0f26970211748af1821964e4564e2d4
Instruction ID: 48c271b352c8be24168cff457db8f36a5f0f474083a76af2a9592ee03169739b
Opcode Fuzzy Hash: 5b740cf1d799c853502034ff7bde98dcc0f26970211748af1821964e4564e2d4
Instruction Fuzzy Hash: D0B12D7151060A9FD715CF28C48AB657BE0FF46368F298658E8A9CF2E1C735DE91CB40

Function 00C8B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00CC851F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6e20d15df19d7f07fc9e3105572c28351bcdfc69370ee9911748f5e8ffdaccf4
Instruction ID: f92bd0cbf3da08644002ff08a841d624dcf79e5c154032edb6ee1d73487e2d67
Opcode Fuzzy Hash: 6e20d15df19d7f07fc9e3105572c28351bcdfc69370ee9911748f5e8ffdaccf4
Instruction Fuzzy Hash: F01270719002299BDB14DF59C881BEEB7B5FF48710F1481AAE809EB251DB309E85CFA4

Function 00CEEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00CEEABD

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 217695f45353514774f5173c5f4030c0c966cbc20997226c147a1d1f69546bfd
Instruction ID: b9b0859efa15aac4b4530aaeea13985a15f321166bf453e4efdfe8f181978c95
Opcode Fuzzy Hash: 217695f45353514774f5173c5f4030c0c966cbc20997226c147a1d1f69546bfd
Instruction Fuzzy Hash: 48E012312102059FC710EF5AD444E9ABBD9AF58760F00842AFC49C7351D770A8409B90

Function 00C909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C903EE), ref: 00C909DA

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f31a13ab6f6682ee1e37767498c7835083787ee6ae4432ef8050d9258eb5638e
Instruction ID: 46923d12b51be5985d2a3a5e5f78d1eacbbcdb32454e5d4384e1637fa957531a
Opcode Fuzzy Hash: f31a13ab6f6682ee1e37767498c7835083787ee6ae4432ef8050d9258eb5638e
Instruction Fuzzy Hash:

Function 00C9781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C9798B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 0c45e17a8096f7d7a91312b817f15a749498b5fcbaf414fae88ea8df9ecf70a6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 5451897163F7055BDF388669895E7BE2385DB02704F180709E8A2EB2C2CA15DF06E35E

Function 00CA6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb40b8073dc11f0dfe5e5ec88a93ee9fb89207679faa54a5d1bb24a96559742
Instruction ID: 3b3afdff6f3c3417af60e68ead79501eced84fb1f19d6fdf0f555b494a1e92f9
Opcode Fuzzy Hash: 1cb40b8073dc11f0dfe5e5ec88a93ee9fb89207679faa54a5d1bb24a96559742
Instruction Fuzzy Hash: 2F322522D29F024DDB239635DC223366649AFB73C9F15D737F82AB5AA5EF29C5834100

Function 00C8CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7588bdeb9e89dbec76bcf2302cec703f8a8155062bb5cff34e68c8d7eeed9e42
Instruction ID: 2b43a943924734dca4e157084c79af9618d56f46d52ee1cedbf717fec2144369
Opcode Fuzzy Hash: 7588bdeb9e89dbec76bcf2302cec703f8a8155062bb5cff34e68c8d7eeed9e42
Instruction Fuzzy Hash: 63320532A001158BDF28DF29C4E4F7D7BA1EB45304F29856ED46EDB291D234DE81EB61

Function 00C77920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142b604999590721d8078ef10e2f0fc33205ccfd9d9894b489f0341f0645863d
Instruction ID: fb42541454f2ca8e2348aa0d1624bff58316c6f76c5502a20f74629b46546fc7
Opcode Fuzzy Hash: 142b604999590721d8078ef10e2f0fc33205ccfd9d9894b489f0341f0645863d
Instruction Fuzzy Hash: 3422AE70A00609DFDF14CF65C881AEEB7F5FF48300F248629E816A7291EB36AE15DB50

Function 00C791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ad10b0fb2904ecb8c8f0600a9537a6faa3535ff727772b4682b479c9617d60
Instruction ID: 958d574201f9e64237ae1420e3599e4c54382405fc0b9a2daaa8d26dcb490fb7
Opcode Fuzzy Hash: e8ad10b0fb2904ecb8c8f0600a9537a6faa3535ff727772b4682b479c9617d60
Instruction Fuzzy Hash: 1302C7B1A00205EBDF04DF65D881AEEBBB5FF44704F108169E81ADB391EB31AE11DB95

Function 00CA9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d209be7c122fb24dfd1ea6ca75087ad6b161fca71f982fdda51c110cdce8fa4f
Instruction ID: bf5f7d5a6f85207c156e922932a1b1d0ec4b11ebee87872e78cf0ff048ba41c2
Opcode Fuzzy Hash: d209be7c122fb24dfd1ea6ca75087ad6b161fca71f982fdda51c110cdce8fa4f
Instruction Fuzzy Hash: 9EB1D220D2AF415DD62396398831336FA5CAFBB6D5F51D71BFC26B4E62EF2186834140

Function 00C91C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: e06fdc9c56439624388cc98827dd0d2d37b48724a18138462c53fc5375cee323
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F59136736090A34ADF2A463A857E07DFFE15B523A131E079DDCF2CA1C5EE24DA64D620

Function 00C91F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 2307530bc6fe2d0c450cfb2175704ca759d19b6f4c1e66e329cd15d8fc01b266
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: A89168722090A359DF6D467A857D03EFFE15B923A131E079DD8F2CB1C5EE24CA64E620

Function 00C919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1e6dd8e6e9ea20a47233dbb3a60ef22df369d3da0c6a9a2694a4623a498229b3
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A69113722090E34EDF69467A857E03DFFE15B923A231E079DD8F2CA1C5FD24DA54A620

Function 00C97A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed32fbe71f2231879ce58ee54a7a86fb44d900b438ec75f455055666f8aee8db
Instruction ID: 9d3c2aa2b2a8e845bf41a3ebb2cf85387de9c32a8b8f54f233902854e1688b45
Opcode Fuzzy Hash: ed32fbe71f2231879ce58ee54a7a86fb44d900b438ec75f455055666f8aee8db
Instruction Fuzzy Hash: 48618A3123A30997DE389A2C8C9DBBE2395EF41700F141B1AF853DB291DA11DF46E355

Function 00C97CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0611012019e1c4f6d6ad6df589a34ccf416a1065868c1370410a0c7dcffce33c
Instruction ID: a62b0e2f9e4dc225eac12479ab25b89fe7cfb899b690d1f1a6362174714b91b8
Opcode Fuzzy Hash: 0611012019e1c4f6d6ad6df589a34ccf416a1065868c1370410a0c7dcffce33c
Instruction Fuzzy Hash: 5A618A7333A7099BDE384A28889EBBF3384EF42704F100B59E853DB681DA12DF469355

Function 00C91706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 84535b48698272dcd6d4b4725498ca700f9c159e5b35563a0560d0190068a08b
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F38151726090A349DF69467A853A43EFFE15B923A131F079DD8F2CA1C1EE24D754E620

Function 00CE2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b72e3cad500d82ec822a472369dfe2e90af336cf27c4ffd69a8f08e570eda3
Instruction ID: b4c2899fd66122bbed6111cacc245a6dae0e6e87ec713f1973aa851d0617a90f
Opcode Fuzzy Hash: c4b72e3cad500d82ec822a472369dfe2e90af336cf27c4ffd69a8f08e570eda3
Instruction Fuzzy Hash: F021BB326206158BD728CF79C81367E73E9A754310F55862EE4A7C37D0DE35A904D790

Function 00CF2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CF2B30
DeleteObject.GDI32(00000000), ref: 00CF2B43
DestroyWindow.USER32 ref: 00CF2B52
GetDesktopWindow.USER32 ref: 00CF2B6D
GetWindowRect.USER32(00000000), ref: 00CF2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CF2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CF2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2CF8
GetClientRect.USER32(00000000,?), ref: 00CF2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CF2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2D80
GlobalLock.KERNEL32(00000000), ref: 00CF2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2D98
GlobalUnlock.KERNEL32(00000000), ref: 00CF2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2DA8
GlobalFree.KERNEL32(00000000), ref: 00CF2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D0FC38,00000000), ref: 00CF2DDB
GlobalFree.KERNEL32(00000000), ref: 00CF2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CF2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CF2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF303F

Strings

AutoIt v3, xrefs: 00CF2CF2
DISPLAY, xrefs: 00CF2EA2
static, xrefs: 00CF2D3A, 00CF2E91
, xrefs: 00CF2FC5

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 40748fb572bdab15981ec40b7fdedc5d13cd26b0c297064cfd175cc9a08805d1
Instruction ID: bdda16f38bfc968dfeea409c283c9afb69f20bb4a1914cc744bb3ddff16c0333
Opcode Fuzzy Hash: 40748fb572bdab15981ec40b7fdedc5d13cd26b0c297064cfd175cc9a08805d1
Instruction Fuzzy Hash: 19027E75510219AFDB14DFA4CC89FAE7BB9EF49710F108258F919EB2A1CB70AD01CB61

Function 00D070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D0712F
GetSysColorBrush.USER32(0000000F), ref: 00D07160
GetSysColor.USER32(0000000F), ref: 00D0716C
SetBkColor.GDI32(?,000000FF), ref: 00D07186
SelectObject.GDI32(?,?), ref: 00D07195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D071C0
GetSysColor.USER32(00000010), ref: 00D071C8
CreateSolidBrush.GDI32(00000000), ref: 00D071CF
FrameRect.USER32(?,?,00000000), ref: 00D071DE
DeleteObject.GDI32(00000000), ref: 00D071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D07230
FillRect.USER32(?,?,?), ref: 00D07262
GetWindowLongW.USER32(?,000000F0), ref: 00D07284

Part of subcall function 00D073E8: GetSysColor.USER32(00000012), ref: 00D07421
Part of subcall function 00D073E8: SetTextColor.GDI32(?,?), ref: 00D07425
Part of subcall function 00D073E8: GetSysColorBrush.USER32(0000000F), ref: 00D0743B
Part of subcall function 00D073E8: GetSysColor.USER32(0000000F), ref: 00D07446
Part of subcall function 00D073E8: GetSysColor.USER32(00000011), ref: 00D07463
Part of subcall function 00D073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D07471
Part of subcall function 00D073E8: SelectObject.GDI32(?,00000000), ref: 00D07482
Part of subcall function 00D073E8: SetBkColor.GDI32(?,00000000), ref: 00D0748B
Part of subcall function 00D073E8: SelectObject.GDI32(?,?), ref: 00D07498
Part of subcall function 00D073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D074B7
Part of subcall function 00D073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D074CE
Part of subcall function 00D073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D074DB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ae0a348106ae03e2a56078fa5dc24bb5641772eb7ce8b3601c650bd8a8e3c123
Instruction ID: 9fb4384d3ee3cc33c6b558a461a06125b3a46eb33c4f6f5e4c56ff0b7e8555da
Opcode Fuzzy Hash: ae0a348106ae03e2a56078fa5dc24bb5641772eb7ce8b3601c650bd8a8e3c123
Instruction Fuzzy Hash: 4CA19072418301AFD7109F60DC48B5B7BA9FF89320F141B19F9AADA2E1D771E944CB62

Function 00C88D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C88E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00CC6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CC6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00CC6F43

Part of subcall function 00C88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C88BE8,?,00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00C88FC5

SendMessageW.USER32(?,00001053), ref: 00CC6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CC6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CC6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CC6FB7

Strings

0, xrefs: 00CC6DCF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: cfe984c4a37f50945dcbd30f6be7ae05700702a2869c49412a1a4470ac2cb85a
Instruction ID: 3aeff4d487e494fafb2385be512ed9c9f0697179ab539ea516efa69ba98885fe
Opcode Fuzzy Hash: cfe984c4a37f50945dcbd30f6be7ae05700702a2869c49412a1a4470ac2cb85a
Instruction Fuzzy Hash: 5812BC38200201AFDB21DF24CA94FA6B7E1FB49304F54456DE4A9CB661CB31ED96DFA1

Function 00CF2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CF273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CF286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CF28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CF28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CF2900
GetClientRect.USER32(00000000,?), ref: 00CF290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CF2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CF2964
GetStockObject.GDI32(00000011), ref: 00CF2974
SelectObject.GDI32(00000000,00000000), ref: 00CF2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CF2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CF2991
DeleteDC.GDI32(00000000), ref: 00CF299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CF29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CF29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CF2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CF2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CF2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CF2A77
GetStockObject.GDI32(00000011), ref: 00CF2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CF2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CF2A97

Strings

AutoIt v3, xrefs: 00CF28F8
msctls_progress32, xrefs: 00CF2A13
DISPLAY, xrefs: 00CF295A
static, xrefs: 00CF294F, 00CF2A71

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: abd31faf1fcb6891b096ab6fd8b40b5ae0f92243de127ce204ccfaf2e20c509c
Instruction ID: 7de6709c66a1e79768543109628a7e62b1a1c9b1e7c9cd4a4f04cbb377c9cced
Opcode Fuzzy Hash: abd31faf1fcb6891b096ab6fd8b40b5ae0f92243de127ce204ccfaf2e20c509c
Instruction Fuzzy Hash: E0B13E75A50319AFEB14DFA8CC49FAE7BA9EB49710F108215FA15E72D0D770AD40CBA0

Function 00CE4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CE4AED
GetDriveTypeW.KERNEL32(?,00D0CB68,?,\\.\,00D0CC08), ref: 00CE4BCA
SetErrorMode.KERNEL32(00000000,00D0CB68,?,\\.\,00D0CC08), ref: 00CE4D36

Strings

CDROM, xrefs: 00CE4BFB
SATA, xrefs: 00CE4CD0
Virtual, xrefs: 00CE4CE5
RAMDisk, xrefs: 00CE4BF4
Network, xrefs: 00CE4C02
SAS, xrefs: 00CE4CC9
Unknown, xrefs: 00CE4BED, 00CE4C83
ATAPI, xrefs: 00CE4C91
FileBackedVirtual, xrefs: 00CE4CEC
SCSI, xrefs: 00CE4C8A
USB, xrefs: 00CE4CB4
SSD, xrefs: 00CE4C4A
MMC, xrefs: 00CE4CDE
\\.\, xrefs: 00CE4B3F
Fibre, xrefs: 00CE4CAD
ATA, xrefs: 00CE4C98
RAID, xrefs: 00CE4CBB
PhysicalDrive, xrefs: 00CE4B76
iSCSI, xrefs: 00CE4CC2
1394, xrefs: 00CE4C9F
Removable, xrefs: 00CE4C10, 00CE4C15
SSA, xrefs: 00CE4CA6
Fixed, xrefs: 00CE4C09

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7dc23c390a5b4d45556cc1092a3082f277fad738d7d44106ba977b40111724ee
Instruction ID: 4fe6dec480d29339e5b9dfeaf20591d5f5d152b520cc40a895c7b49870dabcf7
Opcode Fuzzy Hash: 7dc23c390a5b4d45556cc1092a3082f277fad738d7d44106ba977b40111724ee
Instruction Fuzzy Hash: D461AF30605286EFCB08DF26DA829AD77B0EB44740F34C415F80AAB691DB75EE45EB61

Function 00D073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D07421
SetTextColor.GDI32(?,?), ref: 00D07425
GetSysColorBrush.USER32(0000000F), ref: 00D0743B
GetSysColor.USER32(0000000F), ref: 00D07446
CreateSolidBrush.GDI32(?), ref: 00D0744B
GetSysColor.USER32(00000011), ref: 00D07463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D07471
SelectObject.GDI32(?,00000000), ref: 00D07482
SetBkColor.GDI32(?,00000000), ref: 00D0748B
SelectObject.GDI32(?,?), ref: 00D07498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D0752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D07554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D07572
DrawFocusRect.USER32(?,?), ref: 00D0757D
GetSysColor.USER32(00000011), ref: 00D0758E
SetTextColor.GDI32(?,00000000), ref: 00D07596
DrawTextW.USER32(?,00D070F5,000000FF,?,00000000), ref: 00D075A8
SelectObject.GDI32(?,?), ref: 00D075BF
DeleteObject.GDI32(?), ref: 00D075CA
SelectObject.GDI32(?,?), ref: 00D075D0
DeleteObject.GDI32(?), ref: 00D075D5
SetTextColor.GDI32(?,?), ref: 00D075DB
SetBkColor.GDI32(?,?), ref: 00D075E5

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 117b4d8472ffee032ddaf96fd69c0d83b8cc48754c345868c787f2de53f7b0b4
Instruction ID: 1e186a7820d73d964f59efd6ee0081673e875e2d856fac130348e281ab1a51c7
Opcode Fuzzy Hash: 117b4d8472ffee032ddaf96fd69c0d83b8cc48754c345868c787f2de53f7b0b4
Instruction Fuzzy Hash: 6E616C76D00218AFDB019FA4DC49BEE7FB9EB09320F145215F919EB2E1D771A940CBA0

Function 00D00FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D01128
GetDesktopWindow.USER32 ref: 00D0113D
GetWindowRect.USER32(00000000), ref: 00D01144
GetWindowLongW.USER32(?,000000F0), ref: 00D01199
DestroyWindow.USER32(?), ref: 00D011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D0120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D0121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D01232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D01245
IsWindowVisible.USER32(00000000), ref: 00D012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D012D0
GetWindowRect.USER32(00000000,?), ref: 00D012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D0130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D01328
CopyRect.USER32(?,?), ref: 00D0133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D013AA

Strings

tooltips_class32, xrefs: 00D011E6
0, xrefs: 00D010D3
(, xrefs: 00D0131B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9d3717abb87c61346560498b7cbae8441a35a163d3c766082a88a4770ba45744
Instruction ID: 7afc32ee1e786767881fa946aba9ebc0e9254c043f202de6129aae94916106ca
Opcode Fuzzy Hash: 9d3717abb87c61346560498b7cbae8441a35a163d3c766082a88a4770ba45744
Instruction Fuzzy Hash: 71B18B75604341AFD714DF64C885B6ABBE4FF84754F008A1CF99D9B2A1C771E844CBA2

Function 00C88891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C88968
GetSystemMetrics.USER32(00000007), ref: 00C88970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C8899B
GetSystemMetrics.USER32(00000008), ref: 00C889A3
GetSystemMetrics.USER32(00000004), ref: 00C889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C88A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C88A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C88A5A
GetStockObject.GDI32(00000011), ref: 00C88A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C88A81

Part of subcall function 00C8912D: GetCursorPos.USER32(?), ref: 00C89141
Part of subcall function 00C8912D: ScreenToClient.USER32(00000000,?), ref: 00C8915E
Part of subcall function 00C8912D: GetAsyncKeyState.USER32(00000001), ref: 00C89183
Part of subcall function 00C8912D: GetAsyncKeyState.USER32(00000002), ref: 00C8919D

SetTimer.USER32(00000000,00000000,00000028,00C890FC), ref: 00C88AA8

Strings

AutoIt v3 GUI, xrefs: 00C88A20

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7108c35587e5af6196d41276abeff2d40d3ab4c442f565c65ed62e5dcef88de8
Instruction ID: b9442e2a8f6f51e8c657d7c69c6202f6994ac4582e5fb9c34db60bc38ef6465f
Opcode Fuzzy Hash: 7108c35587e5af6196d41276abeff2d40d3ab4c442f565c65ed62e5dcef88de8
Instruction Fuzzy Hash: 7AB16D79A00209AFDB14DFA8CD49BAE3BB5FB48314F104229FA15E72D0DB74A941CF65

Function 00CD0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD1114
Part of subcall function 00CD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1120
Part of subcall function 00CD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD112F
Part of subcall function 00CD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1136
Part of subcall function 00CD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CD0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CD0E29
GetLengthSid.ADVAPI32(?), ref: 00CD0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00CD0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CD0E96
GetLengthSid.ADVAPI32(?), ref: 00CD0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CD0EB5
HeapAlloc.KERNEL32(00000000), ref: 00CD0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CD0EDD
CopySid.ADVAPI32(00000000), ref: 00CD0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CD0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CD0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CD0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0F6E
HeapFree.KERNEL32(00000000), ref: 00CD0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0F7E
HeapFree.KERNEL32(00000000), ref: 00CD0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD0F8E
HeapFree.KERNEL32(00000000), ref: 00CD0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00CD0FA1
HeapFree.KERNEL32(00000000), ref: 00CD0FA8

Part of subcall function 00CD1193: GetProcessHeap.KERNEL32(00000008,00CD0BB1,?,00000000,?,00CD0BB1,?), ref: 00CD11A1
Part of subcall function 00CD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CD0BB1,?), ref: 00CD11A8
Part of subcall function 00CD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CD0BB1,?), ref: 00CD11B7

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 953e7989dcb864f85d48ab110af5e1d32adf5f35eb3b1b33eaaa06514503cb9d
Instruction ID: 381f400f9c9ee728c98ba56da4e424b1cdf63ed1c9dfddd4e05e2b76937e9f1c
Opcode Fuzzy Hash: 953e7989dcb864f85d48ab110af5e1d32adf5f35eb3b1b33eaaa06514503cb9d
Instruction Fuzzy Hash: 43714272900309ABDF10DFA5DC49FEEBBB8BF05311F244216FA69E6291D7719A05CB60

Function 00CFC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D0CC08,00000000,?,00000000,?,?), ref: 00CFC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CFC5A4
_wcslen.LIBCMT ref: 00CFC5F4
_wcslen.LIBCMT ref: 00CFC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CFC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CFC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CFC84D
RegCloseKey.ADVAPI32(?), ref: 00CFC881
RegCloseKey.ADVAPI32(00000000), ref: 00CFC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CFC960

Strings

REG_QWORD, xrefs: 00CFC8C3
REG_DWORD, xrefs: 00CFC804
REG_EXPAND_SZ, xrefs: 00CFC5CD
REG_MULTI_SZ, xrefs: 00CFC6F5
REG_BINARY, xrefs: 00CFC913
REG_SZ, xrefs: 00CFC644

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ea91163b2b18fbf1c50fa6d3ee159a3b8154a5887a64299660c9754edc6f62c7
Instruction ID: 3c64195d07b3fc7db73e1cd99ea61a603fe3ffa318f99d7b6fb715f328dfae18
Opcode Fuzzy Hash: ea91163b2b18fbf1c50fa6d3ee159a3b8154a5887a64299660c9754edc6f62c7
Instruction Fuzzy Hash: 5B1278312042099FCB54DF24C981E2AB7E5FF88754F14895CF99A9B3A2DB31ED41DB82

Function 00D0091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D009C6
_wcslen.LIBCMT ref: 00D00A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D00A54
_wcslen.LIBCMT ref: 00D00A8A
_wcslen.LIBCMT ref: 00D00B06
_wcslen.LIBCMT ref: 00D00B81

Part of subcall function 00C8F9F2: _wcslen.LIBCMT ref: 00C8F9FD

Part of subcall function 00CD2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CD2BFA

Strings

GETTEXT, xrefs: 00D00C97
GETITEMCOUNT, xrefs: 00D00C1E
UNCHECK, xrefs: 00D00D3E
GETSELECTED, xrefs: 00D00C4E
EXPAND, xrefs: 00D00BF8
SELECT, xrefs: 00D00D11
EXISTS, xrefs: 00D00B7C, 00D00B97
GETTOTALCOUNT, xrefs: 00D009F2, 00D00A17
COLLAPSE, xrefs: 00D00B01, 00D00B1C
CHECK, xrefs: 00D00A85, 00D00AA0
ISCHECKED, xrefs: 00D00CE1

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 34bf5350adbc42d8921fc0e8226bd369fe79d68726dfdcf28b18fcd09ab5f176
Instruction ID: d140d2900af70b7fae97df48abb571180c4baa333eeefe3f262e5259853c457f
Opcode Fuzzy Hash: 34bf5350adbc42d8921fc0e8226bd369fe79d68726dfdcf28b18fcd09ab5f176
Instruction Fuzzy Hash: 3BE19F31208701AFC714DF24C450A2ABBE1FF98354F18895DF89A9B3A2D731ED46DBA1

Function 00CFC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFB6AE,?,?), ref: 00CFC9B5
_wcslen.LIBCMT ref: 00CFC9F1
_wcslen.LIBCMT ref: 00CFCA68
_wcslen.LIBCMT ref: 00CFCA9E
_wcslen.LIBCMT ref: 00CFCAF9
_wcslen.LIBCMT ref: 00CFCB2F
_wcslen.LIBCMT ref: 00CFCB7F

Strings

HKCU, xrefs: 00CFCBCE
HKEY_CURRENT_USER, xrefs: 00CFCBBD
HKU, xrefs: 00CFCBF0
HKEY_USERS, xrefs: 00CFCBDF
HKCR, xrefs: 00CFCB29, 00CFCB2E
HKEY_LOCAL_MACHINE, xrefs: 00CFCA62, 00CFCA67
HKLM, xrefs: 00CFCA98, 00CFCA9D
HKEY_CLASSES_ROOT, xrefs: 00CFCAF3, 00CFCAF8
HKEY_CURRENT_CONFIG, xrefs: 00CFCB79, 00CFCB7E
HKCC, xrefs: 00CFCBAC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: bc0f1bc88c49836923b5f9ffe92c9a9d3b360b599b278ad9789493e9fef267c0
Instruction ID: 548ff8f0c2be7e092315bcca8b31b8b70ab5175b03725270d454e1f7b93db57a
Opcode Fuzzy Hash: bc0f1bc88c49836923b5f9ffe92c9a9d3b360b599b278ad9789493e9fef267c0
Instruction Fuzzy Hash: 3871147270052E8BCB60DE3DCAC15BE3391AF60754F210528FA7697284E631DE45E3A2

Function 00D0833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D0835A
_wcslen.LIBCMT ref: 00D0836E
_wcslen.LIBCMT ref: 00D08391
_wcslen.LIBCMT ref: 00D083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D0361A,?), ref: 00D0844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D08487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D08501
FreeLibrary.KERNEL32(?), ref: 00D0850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D0851D
DestroyIcon.USER32(?), ref: 00D0852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D08549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D08555

Strings

.icl, xrefs: 00D08368
.exe, xrefs: 00D08388
.dll, xrefs: 00D083AB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: d6c94904bdd3be6ec7d4bdae0147fdebb033ab5652e16f14e5bbdb48beb51bb6
Instruction ID: 0e02d5a187e975f93abc0b76e63478e7a1b7bd247459507e0e1d59fcb8d88328
Opcode Fuzzy Hash: d6c94904bdd3be6ec7d4bdae0147fdebb033ab5652e16f14e5bbdb48beb51bb6
Instruction Fuzzy Hash: A061BF71900319BEEB14DF64CC89BBE77A8BB04B21F104609F859E61D1DB74E980EBB0

Function 00C77778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00CB5279
#requireadmin, xrefs: 00C777FF
#comments-start, xrefs: 00C7785F, 00C778B1
#OnAutoItStartRegister, xrefs: 00C77817
#pragma compile, xrefs: 00C777D3
#cs, xrefs: 00C77873, 00C778C5
#ce, xrefs: 00C778ED
#include, xrefs: 00C77847
", xrefs: 00CB5153
#notrayicon, xrefs: 00C777E7
#comments-end, xrefs: 00C778D9
#include-once, xrefs: 00C7782F
', xrefs: 00CB5169
Unterminated group of comments, xrefs: 00CB528C
Bad directive syntax error, xrefs: 00CB519A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 2ecf5cbe5f66406e13278c1002931541b70ea05238dafa80453142444c239e2a
Instruction ID: 5d4946d3284a49056c15ec2f4f7e24c448fa9944050572995ddce79a1d354fa7
Opcode Fuzzy Hash: 2ecf5cbe5f66406e13278c1002931541b70ea05238dafa80453142444c239e2a
Instruction Fuzzy Hash: 4681F271604209BFDF25AF64CC82FAE37A8AF15300F048125F918AB1D6EB70DA15E7A1

Function 00CE3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00CE3EF8
_wcslen.LIBCMT ref: 00CE3F03
_wcslen.LIBCMT ref: 00CE3F5A
_wcslen.LIBCMT ref: 00CE3F98
GetDriveTypeW.KERNEL32(?), ref: 00CE3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CE401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CE4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CE4087

Strings

wait, xrefs: 00CE4044
type cdaudio alias cd wait, xrefs: 00CE4001
closed, xrefs: 00CE3F08, 00CE3F2D, 00CE3F46, 00CE3F7E, 00CE3F97
close, xrefs: 00CE3EFE, 00CE3F18
set cd door , xrefs: 00CE4028
open, xrefs: 00CE3F54, 00CE3F59
open , xrefs: 00CE3FE5
close cd wait, xrefs: 00CE4072

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 39acbf74e861919333897309e45e60640303c36d98bc78ac32dd987e6f339219
Instruction ID: 70f751590e7c370d963a8d1ed9a8fd7ee6387eeb0f105e81c8223650f1747b7f
Opcode Fuzzy Hash: 39acbf74e861919333897309e45e60640303c36d98bc78ac32dd987e6f339219
Instruction Fuzzy Hash: 9E71D2326043419FC710EF35C88186AB7F4EF94754F10892DF8A997291EB30EE49DB61

Function 00CD5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00CD5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CD5A40
SetWindowTextW.USER32(?,?), ref: 00CD5A57
GetDlgItem.USER32(?,000003EA), ref: 00CD5A6C
SetWindowTextW.USER32(00000000,?), ref: 00CD5A72
GetDlgItem.USER32(?,000003E9), ref: 00CD5A82
SetWindowTextW.USER32(00000000,?), ref: 00CD5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CD5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CD5AC3
GetWindowRect.USER32(?,?), ref: 00CD5ACC
_wcslen.LIBCMT ref: 00CD5B33
SetWindowTextW.USER32(?,?), ref: 00CD5B6F
GetDesktopWindow.USER32 ref: 00CD5B75
GetWindowRect.USER32(00000000), ref: 00CD5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00CD5BD3
GetClientRect.USER32(?,?), ref: 00CD5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00CD5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CD5C2F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 3dd5086bd2f5a942293d0003b70159e665e9ef59130b1dc4dbb991f300ab869d
Instruction ID: 9a2e38858558bf33af6fad6e7032437d49bec07c5c31ebfb6087568e91673c4d
Opcode Fuzzy Hash: 3dd5086bd2f5a942293d0003b70159e665e9ef59130b1dc4dbb991f300ab869d
Instruction Fuzzy Hash: 1B717031900B05AFDB20DFA9CD85B6EBBF5FF48704F10461AE256E26A0D775E940CB60

Function 00CEFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00CEFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00CEFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00CEFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00CEFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00CEFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00CEFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00CEFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00CEFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00CEFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00CEFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00CEFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00CEFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00CEFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00CEFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00CEFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00CEFECC
GetCursorInfo.USER32(?), ref: 00CEFEDC
GetLastError.KERNEL32 ref: 00CEFF1E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 178e51fd74a65d081abc1792c2d95383ef64fb25584dd6421c433edd562f5c94
Instruction ID: aecfb9aef630b8dc6ba1670806b643a8421edfc84c8008365c53fe8b20acce73
Opcode Fuzzy Hash: 178e51fd74a65d081abc1792c2d95383ef64fb25584dd6421c433edd562f5c94
Instruction Fuzzy Hash: 934163B0D043596ADB10DFBA8C8985EBFE8FF04354B50852AF11DE7291DB78A901CF91

Function 00C900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C900C6

Part of subcall function 00C900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D4070C,00000FA0,79E1C6FD,?,?,?,?,00CB23B3,000000FF), ref: 00C9011C
Part of subcall function 00C900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00CB23B3,000000FF), ref: 00C90127
Part of subcall function 00C900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00CB23B3,000000FF), ref: 00C90138
Part of subcall function 00C900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C9014E
Part of subcall function 00C900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C9015C
Part of subcall function 00C900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C9016A
Part of subcall function 00C900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C90195
Part of subcall function 00C900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C901A0

___scrt_fastfail.LIBCMT ref: 00C900E7

Part of subcall function 00C900A3: __onexit.LIBCMT ref: 00C900A9

Strings

WakeAllConditionVariable, xrefs: 00C90162
SleepConditionVariableCS, xrefs: 00C90154
kernel32.dll, xrefs: 00C90133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C90122
InitializeConditionVariable, xrefs: 00C90148

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 8d7bf465b838833f22cc7a0a234b264dee9cdfc605784108b95f00de6501a0a9
Instruction ID: 1ef7a818ca470ae88e870960fdbdfb0aae67fad51447f33a3d7937fff94294fe
Opcode Fuzzy Hash: 8d7bf465b838833f22cc7a0a234b264dee9cdfc605784108b95f00de6501a0a9
Instruction Fuzzy Hash: C721DB32654710AFDB206BA4AC0EB6E3798DB05B51F20023AF905E37D1DB749C009AB5

Function 00CD30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CD318D
_wcslen.LIBCMT ref: 00CD31F8

Strings

INSTANCE, xrefs: 00CD3453
TEXT, xrefs: 00CD347C
CLASSNN, xrefs: 00CD31F3, 00CD3204
REGEXPCLASS, xrefs: 00CD3255, 00CD3266
CLASS, xrefs: 00CD3188, 00CD31A5
NAME, xrefs: 00CD3335, 00CD3346

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 4e50a9e20285d89bd5e5c6646c46286639cc375b5acc0fb0cae29eb9b89c1d30
Instruction ID: cd0e13a0013c56532906878587d25e154a6f045f04d88a2a23f5d3a8ad6f2c6a
Opcode Fuzzy Hash: 4e50a9e20285d89bd5e5c6646c46286639cc375b5acc0fb0cae29eb9b89c1d30
Instruction Fuzzy Hash: 94E1F532A00556ABCF189F64C8517EEFBB4BF44710F14811BE666B7350EB30AF8597A1

Function 00CE44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D0CC08), ref: 00CE4527
_wcslen.LIBCMT ref: 00CE453B
_wcslen.LIBCMT ref: 00CE4599
_wcslen.LIBCMT ref: 00CE45F4
_wcslen.LIBCMT ref: 00CE463F
_wcslen.LIBCMT ref: 00CE46A7

Part of subcall function 00C8F9F2: _wcslen.LIBCMT ref: 00C8F9FD

GetDriveTypeW.KERNEL32(?,00D36BF0,00000061), ref: 00CE4743

Strings

cdrom, xrefs: 00CE458F, 00CE4594
ramdisk, xrefs: 00CE46F1
unknown, xrefs: 00CE4708
removable, xrefs: 00CE45EA, 00CE45EF
all, xrefs: 00CE4531, 00CE4536
network, xrefs: 00CE469D, 00CE46A2
fixed, xrefs: 00CE4635, 00CE463A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: d7fa6f1a641cab0c12a388d95af1dcc0f637fb934a81fae9dc943ac3bb9aad6e
Instruction ID: 6d93b4d014f6e34bf518959e632ea2a195ffc401c3d77564c4342851725d07f6
Opcode Fuzzy Hash: d7fa6f1a641cab0c12a388d95af1dcc0f637fb934a81fae9dc943ac3bb9aad6e
Instruction Fuzzy Hash: 04B106716083429FC718DF2AC890A6EB7E5FFA5720F50891DF4AAC7291D730D945CBA2

Function 00CF3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D0CC08), ref: 00CF40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CF40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00D0CC08), ref: 00CF40F2
FreeLibrary.KERNEL32(00000000,?,00D0CC08), ref: 00CF413E
StringFromGUID2.OLE32(?,?,00000028,?,00D0CC08), ref: 00CF41A8
SysFreeString.OLEAUT32(00000009), ref: 00CF4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CF42C8
SysFreeString.OLEAUT32(?), ref: 00CF42F2

Strings

kernel32.dll, xrefs: 00CF40B6
GetModuleHandleExW, xrefs: 00CF40C7

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: e86584e8f6ad77abf134c3fa93833fffc684c8678e040ddab11b1eba60787fb6
Instruction ID: e51441d717cddee1e41ba691de2085764d9965a4310c20c3541e9ba0b2581831
Opcode Fuzzy Hash: e86584e8f6ad77abf134c3fa93833fffc684c8678e040ddab11b1eba60787fb6
Instruction Fuzzy Hash: EB125E75A00209EFDB58DF54C884EBEBBB5FF45314F248098EA15AB251C731EE46CBA1

Function 00C7326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D41990), ref: 00CB2F8D
GetMenuItemCount.USER32(00D41990), ref: 00CB303D
GetCursorPos.USER32(?), ref: 00CB3081
SetForegroundWindow.USER32(00000000), ref: 00CB308A
TrackPopupMenuEx.USER32(00D41990,00000000,?,00000000,00000000,00000000), ref: 00CB309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CB30A9

Strings

0, xrefs: 00C7327D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0dd06c973f7a1c69c1e05f214c2e351f935926d7353149a03b7f6fe46dfa51db
Instruction ID: 758bd81011fa32777dfc8dd5973b05af318e0833966b0fe4f60a8a1cfcea0f6b
Opcode Fuzzy Hash: 0dd06c973f7a1c69c1e05f214c2e351f935926d7353149a03b7f6fe46dfa51db
Instruction Fuzzy Hash: F6712B70640256BFEB219F65DC49FEABF64FF05364F204216F528AA2E1C7B1AE10DB50

Function 00D06CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00D06DEB

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D06E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D06E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D06E94
DestroyWindow.USER32(?), ref: 00D06EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C70000,00000000), ref: 00D06EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D06EFD
GetDesktopWindow.USER32 ref: 00D06F16
GetWindowRect.USER32(00000000), ref: 00D06F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D06F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D06F4D

Part of subcall function 00C89944: GetWindowLongW.USER32(?,000000EB), ref: 00C89952

Strings

tooltips_class32, xrefs: 00D06E58, 00D06EDD
0, xrefs: 00D06D98

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f5c34ee84c80ecd5b2985abe59718367e97be2f778c3f70d7b5226c2931f668f
Instruction ID: 073b7c8209d2ba547f17ae5027869e09c2b83736cc39ad5d7d2f7c6835afd1e5
Opcode Fuzzy Hash: f5c34ee84c80ecd5b2985abe59718367e97be2f778c3f70d7b5226c2931f668f
Instruction Fuzzy Hash: 3C718578104341AFDB21CF18D844BAABBE9FF89300F48491DFA99C72A1D771E956DB21

Function 00D0911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

DragQueryPoint.SHELL32(?,?), ref: 00D09147

Part of subcall function 00D07674: ClientToScreen.USER32(?,?), ref: 00D0769A
Part of subcall function 00D07674: GetWindowRect.USER32(?,?), ref: 00D07710
Part of subcall function 00D07674: PtInRect.USER32(?,?,00D08B89), ref: 00D07720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D09225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D0923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D09255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D09277
DragFinish.SHELL32(?), ref: 00D0927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D09371

Strings

@GUI_DROPID, xrefs: 00D0929E
@GUI_DRAGFILE, xrefs: 00D09320
@GUI_DRAGID, xrefs: 00D092E9

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 86777a6fe0d1994fa85d3ea6aa97e1325fd8c7908a4b2d102bb92a90f44c8301
Instruction ID: 18cd33a06b231c13d6079a1616379df43529e43ed58b7bf7a8d99eb0b9ff8b32
Opcode Fuzzy Hash: 86777a6fe0d1994fa85d3ea6aa97e1325fd8c7908a4b2d102bb92a90f44c8301
Instruction Fuzzy Hash: 60615971108301AFD701DF64DC85EAFBBE8FF89750F404A1DF599922A1DB70AA49CB62

Function 00CEC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CEC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CEC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CEC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CEC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CEC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CEC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CEC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CEC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CEC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CEC5F0
InternetCloseHandle.WININET(00000000), ref: 00CEC5FB

Strings

, xrefs: 00CEC575

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c2f4b25ad079409ddd32062467e90bd377d754682c8e28c61da27d8aedf02e23
Instruction ID: 5d8db692fcf860b611a42ea7c1f3afc93d4857027380544060850533137948ed
Opcode Fuzzy Hash: c2f4b25ad079409ddd32062467e90bd377d754682c8e28c61da27d8aedf02e23
Instruction Fuzzy Hash: A4517CB1501348BFDB219F62C988ABB7BBCFF48344F00451AF95AD6250DB34EA05AB60

Function 00D0856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00D08592
GetFileSize.KERNEL32(00000000,00000000), ref: 00D085A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00D085AD
CloseHandle.KERNEL32(00000000), ref: 00D085BA
GlobalLock.KERNEL32(00000000), ref: 00D085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00D085D7
GlobalUnlock.KERNEL32(00000000), ref: 00D085E0
CloseHandle.KERNEL32(00000000), ref: 00D085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00D085F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D0FC38,?), ref: 00D08611
GlobalFree.KERNEL32(00000000), ref: 00D08621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00D08641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D08671
DeleteObject.GDI32(00000000), ref: 00D08699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D086AF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 69a822f50b8d283083a49f276eabd12b8e91126ced4caa813c7a59d2d4928c22
Instruction ID: b698305f78dc88ecdf50d4d18d302f9c7ef3f23dc93408592c09d49eb6ca9a4a
Opcode Fuzzy Hash: 69a822f50b8d283083a49f276eabd12b8e91126ced4caa813c7a59d2d4928c22
Instruction Fuzzy Hash: 21410975610304EFDB119FA5CC88FAA7BB8EF89711F148158F94AE72A0DB719901DB70

Function 00CE14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00CE1502
VariantCopy.OLEAUT32(?,?), ref: 00CE150B
VariantClear.OLEAUT32(?), ref: 00CE1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CE15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00CE1657
VariantInit.OLEAUT32(?), ref: 00CE1708
SysFreeString.OLEAUT32(?), ref: 00CE178C
VariantClear.OLEAUT32(?), ref: 00CE17D8
VariantClear.OLEAUT32(?), ref: 00CE17E7
VariantInit.OLEAUT32(00000000), ref: 00CE1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00CE1625
Default, xrefs: 00CE16AF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 621bad4841d3eb95d0989a98aeb1ad3b6a142a10c2ceaeca0a7b6bfd2850389a
Instruction ID: 9f29185b349a369dbff5c40430496b0db93bcef05da4bb44dedc178189516ac2
Opcode Fuzzy Hash: 621bad4841d3eb95d0989a98aeb1ad3b6a142a10c2ceaeca0a7b6bfd2850389a
Instruction Fuzzy Hash: D6D10431600285EBDB00AF67D885BBDB7B5BF45700F18815AFC16AB284DB30ED65EB61

Function 00CFB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFB6AE,?,?), ref: 00CFC9B5
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFC9F1
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA68
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CFB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00CFB80A
RegCloseKey.ADVAPI32(?), ref: 00CFB87E
RegCloseKey.ADVAPI32(?), ref: 00CFB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CFB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CFB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CFB922
FreeLibrary.KERNEL32(00000000), ref: 00CFB983
RegCloseKey.ADVAPI32(00000000), ref: 00CFB994

Strings

advapi32.dll, xrefs: 00CFB8ED
RegDeleteKeyExW, xrefs: 00CFB8FE

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 7e8a58585495bcb1b6580c802e12ee2211a4a0b334407f74884b76fb5223f93c
Instruction ID: ca3b48fb828a0b76acb357257b94d6eef440ab4013554f76894b7c765ec09bcf
Opcode Fuzzy Hash: 7e8a58585495bcb1b6580c802e12ee2211a4a0b334407f74884b76fb5223f93c
Instruction Fuzzy Hash: 4EC16C30204205AFD754DF24C495F2ABBE5FF84318F14855CF6AA8B2A2CB71EE45DB92

Function 00CF255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CF25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CF25E8
CreateCompatibleDC.GDI32(?), ref: 00CF25F4
SelectObject.GDI32(00000000,?), ref: 00CF2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CF266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CF26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CF26D0
SelectObject.GDI32(?,?), ref: 00CF26D8
DeleteObject.GDI32(?), ref: 00CF26E1
DeleteDC.GDI32(?), ref: 00CF26E8
ReleaseDC.USER32(00000000,?), ref: 00CF26F3

Strings

(, xrefs: 00CF268D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e1acce2489653ef2229d9965099ba042f0df206a8b671dd6e7f6dd8c09e02025
Instruction ID: ea69e54e78a2476473c5eadbd061dba8b5191bc4873458de12e6072cdfac1587
Opcode Fuzzy Hash: e1acce2489653ef2229d9965099ba042f0df206a8b671dd6e7f6dd8c09e02025
Instruction Fuzzy Hash: 8C61C175D00219EFCB14CFA4D884AAEBBB5FF48310F20852AEA59E7350D774A951DF60

Function 00CADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CADAA1

Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD659
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD66B
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD67D
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD68F
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6A1
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6B3
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6C5
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6D7
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6E9
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD6FB
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD70D
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD71F
Part of subcall function 00CAD63C: _free.LIBCMT ref: 00CAD731

_free.LIBCMT ref: 00CADA96

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CADAB8
_free.LIBCMT ref: 00CADACD
_free.LIBCMT ref: 00CADAD8
_free.LIBCMT ref: 00CADAFA
_free.LIBCMT ref: 00CADB0D
_free.LIBCMT ref: 00CADB1B
_free.LIBCMT ref: 00CADB26
_free.LIBCMT ref: 00CADB5E
_free.LIBCMT ref: 00CADB65
_free.LIBCMT ref: 00CADB82
_free.LIBCMT ref: 00CADB9A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fce8ca35c191ed9c972d67a94b358be9727571c8b74f895756dc1c6b384a0a78
Instruction ID: 4fe2cbd42cf1be435dd3dee542db308247317bb381c58a9e0ef4d4bc477caf85
Opcode Fuzzy Hash: fce8ca35c191ed9c972d67a94b358be9727571c8b74f895756dc1c6b384a0a78
Instruction Fuzzy Hash: A4316B326043069FEB61AA38E845B9B77E8FF02718F114419F46BD7591DF30AE80A721

Function 00CD365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00CD369C
_wcslen.LIBCMT ref: 00CD36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CD3797
GetClassNameW.USER32(?,?,00000400), ref: 00CD380C
GetDlgCtrlID.USER32(?), ref: 00CD385D
GetWindowRect.USER32(?,?), ref: 00CD3882
GetParent.USER32(?), ref: 00CD38A0
ScreenToClient.USER32(00000000), ref: 00CD38A7
GetClassNameW.USER32(?,?,00000100), ref: 00CD3921
GetWindowTextW.USER32(?,?,00000400), ref: 00CD395D

Strings

%s%u, xrefs: 00CD3734

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 4d6fd4a585a11802773d617c407f71c90fe96c1f3bd508b65ff39e354b6c69fd
Instruction ID: 24edd016896c0b797d6aed5d40da3c29faffe611bfefa89fc4cfa1afcfde93b6
Opcode Fuzzy Hash: 4d6fd4a585a11802773d617c407f71c90fe96c1f3bd508b65ff39e354b6c69fd
Instruction Fuzzy Hash: 8B91B971204746AFD715DF24C895FAAF7A8FF44350F40462AFAA9D2290DB30EB45CB92

Function 00CD4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00CD4994
GetWindowTextW.USER32(?,?,00000400), ref: 00CD49DA
_wcslen.LIBCMT ref: 00CD49EB
CharUpperBuffW.USER32(?,00000000), ref: 00CD49F7
_wcsstr.LIBVCRUNTIME ref: 00CD4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00CD4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00CD4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00CD4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00CD4B20
GetWindowRect.USER32(?,?), ref: 00CD4B8B

Strings

ThumbnailClass, xrefs: 00CD4A6F, 00CD4AF1

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 27c73b72824d56a0675e1d617c9821115ca1709c2026e77f2929617f70b51bfb
Instruction ID: f22785ad13821bd62c02cc93a8691b49a8a4eebbd33d7bff6e6e2f7ff7dc08ae
Opcode Fuzzy Hash: 27c73b72824d56a0675e1d617c9821115ca1709c2026e77f2929617f70b51bfb
Instruction Fuzzy Hash: 0C91CB31004205AFDB18DF14C985BAA77A8FF94304F04856BFF999A296DB30EE45CBA1

Function 00CDBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D41990,000000FF,00000000,00000030), ref: 00CDBFAC
SetMenuItemInfoW.USER32(00D41990,00000004,00000000,00000030), ref: 00CDBFE1
Sleep.KERNEL32(000001F4), ref: 00CDBFF3
GetMenuItemCount.USER32(?), ref: 00CDC039
GetMenuItemID.USER32(?,00000000), ref: 00CDC056
GetMenuItemID.USER32(?,-00000001), ref: 00CDC082
GetMenuItemID.USER32(?,?), ref: 00CDC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CDC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CDC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CDC145

Strings

0, xrefs: 00CDBF3D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 5cd9032e802669ae3d94224389ca5ecc6a553d44acf9daa8cdc82f33b9b4f7f7
Instruction ID: a23d8e7e1866f85ce6a65d6b4bf5da03006e05caa3b12d2d5cb74e8fcdac4ae5
Opcode Fuzzy Hash: 5cd9032e802669ae3d94224389ca5ecc6a553d44acf9daa8cdc82f33b9b4f7f7
Instruction Fuzzy Hash: AF61AFB490035AEFDF21CF64CCC8AAE7BB8EB05344F004156EA15A3391D735AE44DB60

Function 00CFCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CFCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CFCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CFCD48

Part of subcall function 00CFCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CFCCAA
Part of subcall function 00CFCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CFCCBD
Part of subcall function 00CFCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CFCCCF
Part of subcall function 00CFCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CFCD05
Part of subcall function 00CFCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CFCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CFCCF3

Strings

advapi32.dll, xrefs: 00CFCCB8
RegDeleteKeyExW, xrefs: 00CFCCC9

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 757f05bf6424cd2e14422208d5a59e3b86a034d43e2bf4ad5e4a93c700bf68b5
Instruction ID: 73331a4d73c2017a25a479085b474a2168801b60dc13e0aa87f60d00f006fa9a
Opcode Fuzzy Hash: 757f05bf6424cd2e14422208d5a59e3b86a034d43e2bf4ad5e4a93c700bf68b5
Instruction Fuzzy Hash: 62317C71A0122CBBDB208B51DD88EFFBB7CEF45750F000165EA1AE3240DA749A45DAB1

Function 00CE3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CE3D40
_wcslen.LIBCMT ref: 00CE3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CE3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CE3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00CE3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CE3E55
CloseHandle.KERNEL32(00000000), ref: 00CE3E60
CloseHandle.KERNEL32(00000000), ref: 00CE3E6B

Strings

\, xrefs: 00CE3D77
:, xrefs: 00CE3D82
\??\%s, xrefs: 00CE3D5B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: a8621f2347b721f5a3729c6823713e46106229e9c0011a85915a59cfb137fec1
Instruction ID: a9ec36dfdcc85f87a75e0aa5d747bf43c669cbfae276a5d50f97aacf7537ceda
Opcode Fuzzy Hash: a8621f2347b721f5a3729c6823713e46106229e9c0011a85915a59cfb137fec1
Instruction Fuzzy Hash: B1318171910289ABDB219BA1DC49FEB37BCEF89700F5041A9F519D6160E774A7448B24

Function 00CDE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CDE6B4

Part of subcall function 00C8E551: timeGetTime.WINMM(?,?,00CDE6D4), ref: 00C8E555

Sleep.KERNEL32(0000000A), ref: 00CDE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00CDE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CDE727
SetActiveWindow.USER32 ref: 00CDE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CDE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00CDE773
Sleep.KERNEL32(000000FA), ref: 00CDE77E
IsWindow.USER32 ref: 00CDE78A
EndDialog.USER32(00000000), ref: 00CDE79B

Strings

BUTTON, xrefs: 00CDE719

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5e89dbeabc65e931a76786122284ff2cc25eddd2be54bb186cb037e8a9d2eda8
Instruction ID: 599289d7db51c307e67a232ff6cd5ad3c8f35d11b9c5cc41defde67984cf71c6
Opcode Fuzzy Hash: 5e89dbeabc65e931a76786122284ff2cc25eddd2be54bb186cb037e8a9d2eda8
Instruction Fuzzy Hash: F7218EB8210314AFEB106F60ECCAB363B69F756348F512526F619C63B1DB72AC019A35

Function 00CDE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CDEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CDEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CDEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CDEAA7

Strings

alias PlayMe, xrefs: 00CDEA36
play PlayMe, xrefs: 00CDEAA2
play PlayMe wait, xrefs: 00CDEA91
status PlayMe mode, xrefs: 00CDEA58
close PlayMe, xrefs: 00CDEA6E, 00CDEA9B
open , xrefs: 00CDEA0C

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d79a6077293ccaa97f93450519b01f1b2e52aa8f1bf18f24646242c262ab87eb
Instruction ID: 47506a57792c13f58b48ad8e3ef53ee0b033090125f9a7963a4ac63507ee48ae
Opcode Fuzzy Hash: d79a6077293ccaa97f93450519b01f1b2e52aa8f1bf18f24646242c262ab87eb
Instruction Fuzzy Hash: 02117331A902697DD720F7A2DC4AEFF6A7CEBD1B00F00442AB519A60D1EE704E09D9B0

Function 00CD9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CDA012
SetKeyboardState.USER32(?), ref: 00CDA07D
GetAsyncKeyState.USER32(000000A0), ref: 00CDA09D
GetKeyState.USER32(000000A0), ref: 00CDA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00CDA0E3
GetKeyState.USER32(000000A1), ref: 00CDA0F4
GetAsyncKeyState.USER32(00000011), ref: 00CDA120
GetKeyState.USER32(00000011), ref: 00CDA12E
GetAsyncKeyState.USER32(00000012), ref: 00CDA157
GetKeyState.USER32(00000012), ref: 00CDA165
GetAsyncKeyState.USER32(0000005B), ref: 00CDA18E
GetKeyState.USER32(0000005B), ref: 00CDA19C

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d84e0ab803fd27108fc9ba4cf5f93c39ca1d91608f293d3fc1545ee6da225fd5
Instruction ID: b9b00eb9b72b0ca7f734b7079eb798e0f9cb8344e14c450d471bbe85fdec2a26
Opcode Fuzzy Hash: d84e0ab803fd27108fc9ba4cf5f93c39ca1d91608f293d3fc1545ee6da225fd5
Instruction Fuzzy Hash: 8951DA3490478469FB35EBA044517EEAFB49F12340F08459BD6D2573C2DA64AB4CC762

Function 00CD5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00CD5CE2
GetWindowRect.USER32(00000000,?), ref: 00CD5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00CD5D59
GetDlgItem.USER32(?,00000002), ref: 00CD5D69
GetWindowRect.USER32(00000000,?), ref: 00CD5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00CD5DCF
GetDlgItem.USER32(?,000003E9), ref: 00CD5DDD
GetWindowRect.USER32(00000000,?), ref: 00CD5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00CD5E31
GetDlgItem.USER32(?,000003EA), ref: 00CD5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CD5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00CD5E67

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f65f65a6e97df798db9fd58d97183a28a73ee4f0afa6dfba050bedace44cfd19
Instruction ID: 7a98ea4f726701132d8563ff08f18bb25df626f4558ff1f47eac7e29bda0155e
Opcode Fuzzy Hash: f65f65a6e97df798db9fd58d97183a28a73ee4f0afa6dfba050bedace44cfd19
Instruction Fuzzy Hash: 2851FD71A10709AFDB18DF68DD89BAEBBB5EB48301F548229F519E6390D7709E04CB60

Function 00C88BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C88BE8,?,00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00C88FC5

DestroyWindow.USER32(?), ref: 00C88C81
KillTimer.USER32(00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00C88D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00CC6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00CC69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C88BBA,00000000,?), ref: 00CC69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C88BBA,00000000), ref: 00CC69D4
DeleteObject.GDI32(00000000), ref: 00CC69E6

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: a15a94433dd990edd77c9c5981f80569178e3e4116e2d9d9614400868f7a090f
Instruction ID: 89595f6b25c784205bd47f1806e8febecad040de124394cc1b01bb9a0088c00e
Opcode Fuzzy Hash: a15a94433dd990edd77c9c5981f80569178e3e4116e2d9d9614400868f7a090f
Instruction Fuzzy Hash: 7561BD38102700DFDB21AF15DA48B257BF1FB4531AF50451CE0669BAA4CB31AEC8DFA8

Function 00C89838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C89944: GetWindowLongW.USER32(?,000000EB), ref: 00C89952

GetSysColor.USER32(0000000F), ref: 00C89862

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c62ce8e458260a70cb937fd393e59507c31c66bda93f1e138a07edc44cc3ea64
Instruction ID: 10f56bf337507c1d2b7839731be39a0fc0582950a78936c2e7c4897248cc5d6f
Opcode Fuzzy Hash: c62ce8e458260a70cb937fd393e59507c31c66bda93f1e138a07edc44cc3ea64
Instruction Fuzzy Hash: DA418C31104740AFDB20AF38DC88BB93BA5EB06328F194719F9B6872E1C6319942DB25

Function 00CD96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00CBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00CD9717
LoadStringW.USER32(00000000,?,00CBF7F8,00000001), ref: 00CD9720

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00CBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00CD9742
LoadStringW.USER32(00000000,?,00CBF7F8,00000001), ref: 00CD9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00CD9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CD984A
^ ERROR, xrefs: 00CD97FB
Error: , xrefs: 00CD981D
Line %d (File "%s"):, xrefs: 00CD978F
Line %d:, xrefs: 00CD97A0

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3bb3d4498a4400127fbf28cceb6178948aeedb0c1d2bedb0f2543603acfc680d
Instruction ID: 3d0012d344879fbfed0ac1a9579390c4539e10db22360ac32bd8ed33bbe6a1e4
Opcode Fuzzy Hash: 3bb3d4498a4400127fbf28cceb6178948aeedb0c1d2bedb0f2543603acfc680d
Instruction Fuzzy Hash: 7B414E72900209AACF14FBE0CD86DEE7378EF55340F504165F609721A2EB356F49EB61

Function 00CD06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CD07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CD07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CD07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CD0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00CD082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CD0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CD083C

Strings

\IPC$, xrefs: 00CD0784
SOFTWARE\Classes\, xrefs: 00CD070E
\CLSID, xrefs: 00CD0724

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 8f38962322f244f176443c279bad0bbaf32b6eca56580448bf2f211a5b4a4838
Instruction ID: 8324b0fdf405edb34db58252656d037a83ef579014fb010bc4c92767bd4d79da
Opcode Fuzzy Hash: 8f38962322f244f176443c279bad0bbaf32b6eca56580448bf2f211a5b4a4838
Instruction Fuzzy Hash: 62412A72C10229ABDF11EBA4DC85DEDB778FF44350F148129E915A72A1EB309E04DFA0

Function 00D03F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D0403B
CreateCompatibleDC.GDI32(00000000), ref: 00D04042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D04055
SelectObject.GDI32(00000000,00000000), ref: 00D0405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D04068
DeleteDC.GDI32(00000000), ref: 00D04072
GetWindowLongW.USER32(?,000000EC), ref: 00D0407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00D04092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00D0409E

Strings

static, xrefs: 00D03FD3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 6b5fd56e651f77f333bb534148bb1e6ccfd0e58181a7f2a3a218a165aee16dbf
Instruction ID: b1e620dd8fd6c9cd57e02d3054852bd62b3562bb4a7229a1eb2df192ac7d53ab
Opcode Fuzzy Hash: 6b5fd56e651f77f333bb534148bb1e6ccfd0e58181a7f2a3a218a165aee16dbf
Instruction Fuzzy Hash: 0B315872111219ABDB229FA4CC08FDA3B68EF0D320F140310FA58E61E0C775D821DBA0

Function 00CF3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CF3C5C
CoInitialize.OLE32(00000000), ref: 00CF3C8A
CoUninitialize.OLE32 ref: 00CF3C94
_wcslen.LIBCMT ref: 00CF3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00CF3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CF3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CF3F0E
CoGetObject.OLE32(?,00000000,00D0FB98,?), ref: 00CF3F2D
SetErrorMode.KERNEL32(00000000), ref: 00CF3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CF3FC4
VariantClear.OLEAUT32(?), ref: 00CF3FD8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: cfffdab02a2ea85c7488440689d1fd77c5d9be1503d580046dc12bdb0b396cee
Instruction ID: cd250360477b628839bd9d36a138ab9975c3db02100e08effc1e46b49162f4db
Opcode Fuzzy Hash: cfffdab02a2ea85c7488440689d1fd77c5d9be1503d580046dc12bdb0b396cee
Instruction Fuzzy Hash: D7C14571608349AFC740DF68C884A2BB7E9FF89744F10495DFA8A9B250D730EE45CB62

Function 00CE7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CE7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CE7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00CE7BA3
CoCreateInstance.OLE32(00D0FD08,00000000,00000001,00D36E6C,?), ref: 00CE7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CE7C74
CoTaskMemFree.OLE32(?,?), ref: 00CE7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00CE7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CE7D7A
CoTaskMemFree.OLE32(00000000), ref: 00CE7D81
CoTaskMemFree.OLE32(00000000), ref: 00CE7DD6
CoUninitialize.OLE32 ref: 00CE7DDC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: c20f51f5f63297ac723141bd042fccdaf92f8284c21383e394f7e18ce1504b4f
Instruction ID: 79d81fb8f802f11a214002f4516c474fdcd52f15f14139b9ae6402c430805677
Opcode Fuzzy Hash: c20f51f5f63297ac723141bd042fccdaf92f8284c21383e394f7e18ce1504b4f
Instruction Fuzzy Hash: 0CC11A75A04249AFCB14DFA5C888DAEBBF9FF48304B148599E819DB361D730EE45CB90

Function 00D0541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D05504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D05515
CharNextW.USER32(00000158), ref: 00D05544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D05585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D0559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D055AC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 93e2fe587f8fedef72a11e04634005303b574ee22d9d98fcfd80fdcfbd7e5750
Instruction ID: b578f02975d42a6fd0aa941804e4982ddedaf17f6b869b37d8285477b7528222
Opcode Fuzzy Hash: 93e2fe587f8fedef72a11e04634005303b574ee22d9d98fcfd80fdcfbd7e5750
Instruction Fuzzy Hash: 13616934900608ABDB208F54EC84BFF7BB9EB0A320F544145F969AB2E4D7709A81DF70

Function 00CCFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CCFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00CCFB08
VariantInit.OLEAUT32(?), ref: 00CCFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00CCFB3A
VariantCopy.OLEAUT32(?,?), ref: 00CCFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00CCFBA1
VariantClear.OLEAUT32(?), ref: 00CCFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00CCFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CCFBCC
VariantClear.OLEAUT32(?), ref: 00CCFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CCFBE9

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 850585fd0cfb105746fcd9f134732ee1497c32010ccec4f02897b70f48d5cd2c
Instruction ID: 6f4508f391766b6ee8041c734d03aea6d18f58387f3f2e9549fb0a0d8eefd8ed
Opcode Fuzzy Hash: 850585fd0cfb105746fcd9f134732ee1497c32010ccec4f02897b70f48d5cd2c
Instruction Fuzzy Hash: 6F413035A002199FCB00DF64C868EADBBB9FF48344F00816DE959E7261C730EE46DBA0

Function 00CD9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CD9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00CD9D22
GetKeyState.USER32(000000A0), ref: 00CD9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00CD9D57
GetKeyState.USER32(000000A1), ref: 00CD9D6C
GetAsyncKeyState.USER32(00000011), ref: 00CD9D84
GetKeyState.USER32(00000011), ref: 00CD9D96
GetAsyncKeyState.USER32(00000012), ref: 00CD9DAE
GetKeyState.USER32(00000012), ref: 00CD9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00CD9DD8
GetKeyState.USER32(0000005B), ref: 00CD9DEA

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8f493696d61156aad81a6f70597b1fb35096bdc51b2fb35fe8044624bed19319
Instruction ID: 857de0e74fa9145d123a77497f315095def7e68d7e8ea881aecce19b3600416f
Opcode Fuzzy Hash: 8f493696d61156aad81a6f70597b1fb35096bdc51b2fb35fe8044624bed19319
Instruction Fuzzy Hash: A441C4385047C969FF309B6488043A5BEA1EB12344F04805BDBD6567C2EBB59BC8C7A2

Function 00CF055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CF05BC
inet_addr.WSOCK32(?), ref: 00CF061C
gethostbyname.WSOCK32(?), ref: 00CF0628
IcmpCreateFile.IPHLPAPI ref: 00CF0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CF06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CF06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00CF07B9
WSACleanup.WSOCK32 ref: 00CF07BF

Strings

Ping, xrefs: 00CF0676

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 5b2742e548b567daaec576236f17065af7f8f112a0ef28c95a358ed18bc00d42
Instruction ID: 7b0165271bbc4b0d73ad5ebbf5a7607cc3560f6bb6cbbc3708d093f18ec0145a
Opcode Fuzzy Hash: 5b2742e548b567daaec576236f17065af7f8f112a0ef28c95a358ed18bc00d42
Instruction Fuzzy Hash: 8C917C756083019FD760DF15C888F2ABBE0AF84718F2485A9F5698B7A2C770ED45CF92

Function 00CF8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CF8CF3

Part of subcall function 00CD8E54: _wcslen.LIBCMT ref: 00CD8E77

_wcslen.LIBCMT ref: 00CF8D4E
_wcslen.LIBCMT ref: 00CF8D9C
_wcslen.LIBCMT ref: 00CF8DDC
_wcslen.LIBCMT ref: 00CF8E6E

Strings

winapi, xrefs: 00CF8D96, 00CF8D9B
cdecl, xrefs: 00CF8D48, 00CF8D4D
stdcall, xrefs: 00CF8DD6, 00CF8DDB
none, xrefs: 00CF8E65, 00CF8E6A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9b46b1ea522d3b12f63934fe6824d4fe1af2c625693e11b78f3bc57a962fbd9b
Instruction ID: bd725c87818823b326aeebc6c10723fd6c85a87af35615c683009b081f66812b
Opcode Fuzzy Hash: 9b46b1ea522d3b12f63934fe6824d4fe1af2c625693e11b78f3bc57a962fbd9b
Instruction Fuzzy Hash: 9751D136A0051A9BCF64DF68C8419BEB3A5BF65320B214229E626E73C4DB30DE48D791

Function 00CF372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00CF3774
CoUninitialize.OLE32 ref: 00CF377F
CoCreateInstance.OLE32(?,00000000,00000017,00D0FB78,?), ref: 00CF37D9
IIDFromString.OLE32(?,?), ref: 00CF384C
VariantInit.OLEAUT32(?), ref: 00CF38E4
VariantClear.OLEAUT32(?), ref: 00CF3936

Strings

Invalid parameter, xrefs: 00CF3865
Failed to create object, xrefs: 00CF37E4, 00CF389A
NULL Pointer assignment, xrefs: 00CF381E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: ae65dd1e73c2d1264126271aec39246c04e8eb924a4da357de81800dfa21964a
Instruction ID: 16cb07b654cfcd2dacf923a72a881f10d3e11c5ecccbaa48b827d9b537e19cbe
Opcode Fuzzy Hash: ae65dd1e73c2d1264126271aec39246c04e8eb924a4da357de81800dfa21964a
Instruction Fuzzy Hash: BE61C070608345AFD310EF55C888B6AB7E4EF48750F10490AFA959B391C774EE48DBA7

Function 00CE3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00CE33CF

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CE33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00CE3522
Error: , xrefs: 00CE34D1
Line %d (File "%s"):, xrefs: 00CE3443, 00CE345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00CE3504
^ ERROR , xrefs: 00CE349E
Incorrect parameters to object property !, xrefs: 00CE34AB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ab319e987eb31e2378c78a4f0cdf3929b3ef3a6b376a1b162e304cd433655e66
Instruction ID: d9f48cac8648506d42da897e3e2fc2988a100ce86d59e781c26d4b50af79d92f
Opcode Fuzzy Hash: ab319e987eb31e2378c78a4f0cdf3929b3ef3a6b376a1b162e304cd433655e66
Instruction Fuzzy Hash: C5518D31900249ABDF15EBA1CD46EEEB778EF14340F108165F509B21A2EB316F58EB61

Function 00CDB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CDB5FC
_wcslen.LIBCMT ref: 00CDB608
_wcslen.LIBCMT ref: 00CDB64D
_wcslen.LIBCMT ref: 00CDB68C
_wcslen.LIBCMT ref: 00CDB6C7

Strings

KEYS, xrefs: 00CDB647, 00CDB64C
APPEND, xrefs: 00CDB6C1, 00CDB6C6
EXISTS, xrefs: 00CDB686, 00CDB68B
REMOVE, xrefs: 00CDB602, 00CDB607

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 737679998e617f1f00ef10eb6973d957c156779dae7ecf6e7132d92b9ffa1ca8
Instruction ID: 67861a8b226bd743a1bd796c6a81a4f740531f6945ec0a98a87970fe49562ef6
Opcode Fuzzy Hash: 737679998e617f1f00ef10eb6973d957c156779dae7ecf6e7132d92b9ffa1ca8
Instruction Fuzzy Hash: 1A41A732A00126DBCB245F7D88905BEB7A5AF65754B26412BF635D7384E731CE82C7A0

Function 00CE5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CE53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CE5416
GetLastError.KERNEL32 ref: 00CE5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00CE54A7

Strings

READY, xrefs: 00CE5460, 00CE5468
NOTREADY, xrefs: 00CE544B
INVALID, xrefs: 00CE5459
READONLY, xrefs: 00CE5452
UNKNOWN, xrefs: 00CE5444

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2090232ba82dce1209f34285066f55477998749c94ac1b43ca07a718e23536f2
Instruction ID: d14cb317915e79166c072c590cf7db0b82ff3e3a04a81620a6af5a933de398b5
Opcode Fuzzy Hash: 2090232ba82dce1209f34285066f55477998749c94ac1b43ca07a718e23536f2
Instruction Fuzzy Hash: 7931AE35A006449FC710DF6AC484BAABBB4EF04309F14C065E415DB3D2D771DE86CBA1

Function 00D03C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00D03C79
SetMenu.USER32(?,00000000), ref: 00D03C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D03D10
IsMenu.USER32(?), ref: 00D03D24
CreatePopupMenu.USER32 ref: 00D03D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D03D5B
DrawMenuBar.USER32 ref: 00D03D63

Strings

0, xrefs: 00D03C54
F, xrefs: 00D03D4E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8f5587a8695b9cad308a17bc802977a6fcccec3e514c036b308c882d7e401941
Instruction ID: 17a9d83acd64d6cad3e956314e3ec1eaf00e81a196b2235b1eda578772b21ea9
Opcode Fuzzy Hash: 8f5587a8695b9cad308a17bc802977a6fcccec3e514c036b308c882d7e401941
Instruction Fuzzy Hash: 33414C79A01309AFDB14CF64D848BAA77B9FF49350F140129E94AD73A0D770AA11DF64

Function 00CD1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00CD1F64
GetDlgCtrlID.USER32 ref: 00CD1F6F
GetParent.USER32 ref: 00CD1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD1F8E
GetDlgCtrlID.USER32(?), ref: 00CD1F97
GetParent.USER32(?), ref: 00CD1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD1FAE

Strings

ListBox, xrefs: 00CD1F21
ComboBox, xrefs: 00CD1EEC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f37e8a646cb601aa93274be3057dc9f069c483182ea81e022f2f56edd944df8f
Instruction ID: 3e445886523c448e34aca80e3c888fedb4296a0cc55cad8cc360ba945b1aa5e4
Opcode Fuzzy Hash: f37e8a646cb601aa93274be3057dc9f069c483182ea81e022f2f56edd944df8f
Instruction Fuzzy Hash: 5B21B070A00214BBCF15AFA0DC85EFEBBB8EF15350F004216BA65A73A1CB7559099B70

Function 00CD1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00CD2043
GetDlgCtrlID.USER32 ref: 00CD204E
GetParent.USER32 ref: 00CD206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD206D
GetDlgCtrlID.USER32(?), ref: 00CD2076
GetParent.USER32(?), ref: 00CD208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD208D

Strings

ListBox, xrefs: 00CD2002
ComboBox, xrefs: 00CD1FCD

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1c0d490c1dba671ca23e7a3256f5e0912ee1fa6be82ef91c4f702a5e6b7d4a21
Instruction ID: 09a5f3702e6f6c7653714619d1db9c47b9b91baffa3c75bb4661f8d5b7cf7919
Opcode Fuzzy Hash: 1c0d490c1dba671ca23e7a3256f5e0912ee1fa6be82ef91c4f702a5e6b7d4a21
Instruction Fuzzy Hash: EA21D171A00214BBCF10AFA0CC85EEEBBB8EF15340F004106BA69A72A1CB755918EB70

Function 00D03A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D03A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D03AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D03AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D03AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D03B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D03BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D03BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D03BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D03BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D03C13

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f42e1801f3f29478e7aef3abe3ab59c3343beda8ca339b007a277138bfe59017
Instruction ID: c258242b082883545d29a98456e353e044496293927396f6dd0a59a85010687b
Opcode Fuzzy Hash: f42e1801f3f29478e7aef3abe3ab59c3343beda8ca339b007a277138bfe59017
Instruction Fuzzy Hash: D2614875900248AFDB10DFA8CC81FEE77B8EB49704F144199FA19E72E1D770AA85DB60

Function 00CA2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CA2C94

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CA2CA0
_free.LIBCMT ref: 00CA2CAB
_free.LIBCMT ref: 00CA2CB6
_free.LIBCMT ref: 00CA2CC1
_free.LIBCMT ref: 00CA2CCC
_free.LIBCMT ref: 00CA2CD7
_free.LIBCMT ref: 00CA2CE2
_free.LIBCMT ref: 00CA2CED
_free.LIBCMT ref: 00CA2CFB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 74ab20774687a98db9d484b0682aca4f412c73064ef05b5d8957fdb167bacb23
Instruction ID: 9b930ab7583d17d411f5a28bb86b17515eb47a2ae5fd741219ef553b86ec50be
Opcode Fuzzy Hash: 74ab20774687a98db9d484b0682aca4f412c73064ef05b5d8957fdb167bacb23
Instruction Fuzzy Hash: C811CB76100119BFCB42EFA8D842CDE3BA5FF06754F4144A5FA485F232DA31EE50ABA1

Function 00CE7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CE7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE7FC1
GetFileAttributesW.KERNEL32(?), ref: 00CE7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CE8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CE80B0

Strings

*.*, xrefs: 00CE8066

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: a68b81a4b4c89e8c74656dd2b47382a4e45281943541d00de55bfcd06c79b149
Instruction ID: 8e10a07da258fa7eaeb08e42bc46cbfc181af502bf30b998936b752cf3989cf3
Opcode Fuzzy Hash: a68b81a4b4c89e8c74656dd2b47382a4e45281943541d00de55bfcd06c79b149
Instruction Fuzzy Hash: 5B81A2725083819FCB24EF56C445A6EB3D8FF84310F14495EF899D7250EB35DE498B52

Function 00C75BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C75C7A

Part of subcall function 00C75D0A: GetClientRect.USER32(?,?), ref: 00C75D30
Part of subcall function 00C75D0A: GetWindowRect.USER32(?,?), ref: 00C75D71
Part of subcall function 00C75D0A: ScreenToClient.USER32(?,?), ref: 00C75D99

GetDC.USER32 ref: 00CB46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CB4708
SelectObject.GDI32(00000000,00000000), ref: 00CB4716
SelectObject.GDI32(00000000,00000000), ref: 00CB472B
ReleaseDC.USER32(?,00000000), ref: 00CB4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CB47C4

Strings

U, xrefs: 00CB4693

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8ddca96f51537dffa993ee0fb891ebaebc147f5b79194e6ba83fdfed8abeb00a
Instruction ID: d5373abeeee2df91ddccfc05c617bffa70cd00d5d00ee5ff43b6d68d26f9f81e
Opcode Fuzzy Hash: 8ddca96f51537dffa993ee0fb891ebaebc147f5b79194e6ba83fdfed8abeb00a
Instruction Fuzzy Hash: A771D034404205DFCF298F64C985AFA7BB5FF4A310F144269F969AA2A7C7319941DF60

Function 00CE359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00CE35E4

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

LoadStringW.USER32(00D42390,?,00000FFF,?), ref: 00CE360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00CE3742
^ ERROR, xrefs: 00CE36C9
Error: , xrefs: 00CE36EF
Line %d (File "%s"):, xrefs: 00CE366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00CE3724

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: a2848d97d29651cf2fd28b94c316eaaee53c15d74802a27d693f1d5c0ef4a507
Instruction ID: 4034989d22d3a9459b32ce711229b7232c53715e13e22883676c74f342555197
Opcode Fuzzy Hash: a2848d97d29651cf2fd28b94c316eaaee53c15d74802a27d693f1d5c0ef4a507
Instruction Fuzzy Hash: 33517C71900289BBDF15EFA1CC46EEEBB78EF15300F148125F509721A1EB316B99EB61

Function 00CEC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CEC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CEC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CEC2CA
GetLastError.KERNEL32 ref: 00CEC322
SetEvent.KERNEL32(?), ref: 00CEC336
InternetCloseHandle.WININET(00000000), ref: 00CEC341

Strings

, xrefs: 00CEC2BB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a81b457d7a92625e22b5b303425bd57d1a3efe8bbe976fc6a49e00b5974f7dfe
Instruction ID: 8e5c77b22e2f3f25105ec8ea37a55de934faeac800716879c96a134caaf58f4e
Opcode Fuzzy Hash: a81b457d7a92625e22b5b303425bd57d1a3efe8bbe976fc6a49e00b5974f7dfe
Instruction Fuzzy Hash: B1319FB1500784AFD7219F668CC8AAB7BFCEB49740B14851DF45AD3210DB34DE069B70

Function 00CD989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CB3AAF,?,?,Bad directive syntax error,00D0CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00CD98BC
LoadStringW.USER32(00000000,?,00CB3AAF,?), ref: 00CD98C3

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CD9987

Strings

., xrefs: 00CD996D
Line %d (File "%s"):, xrefs: 00CD992D
%s (%d) : ==> %s.: %s %s, xrefs: 00CD98F1
Error: , xrefs: 00CD9955
Line %d:, xrefs: 00CD9912

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8aaede1dc4e1ca6b3bf6b14bc91139776f9566a874cdd27026f71cc8493d100b
Instruction ID: a31263ba2528df0474d6940c0df30e25bed454a680d0ea104507d5eeb8503f8a
Opcode Fuzzy Hash: 8aaede1dc4e1ca6b3bf6b14bc91139776f9566a874cdd27026f71cc8493d100b
Instruction Fuzzy Hash: CE219131D4021ABFCF21AF90CC16EEE7735FF18300F04846AF619661A2EB319618EB21

Function 00CD209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00CD20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00CD20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CD214D

Strings

SHELLDLL_DefView, xrefs: 00CD20CC
largeicons, xrefs: 00CD20E1
details, xrefs: 00CD20FB
smallicons, xrefs: 00CD2115
list, xrefs: 00CD212F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 2aea90f55f32c428939d80289a11c0f52613a50e0ede931a437a8cc03ddf4ecd
Instruction ID: 87291919a7635a001f12c03326bd284d1cf9b79146f617c29b4203b5fedbb7e5
Opcode Fuzzy Hash: 2aea90f55f32c428939d80289a11c0f52613a50e0ede931a437a8cc03ddf4ecd
Instruction Fuzzy Hash: FC115C76284707B9FA152320EC0BEAA739CCF24324F205217F705E52E1FE616C076624

Function 00CA8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff81770dd443f59aaad096d87265b2213a07554fd23f67cad54e8888223e4bba
Instruction ID: 189d843095a1825097361e2a8887ea4ff90be74c6c174a1b4de301f804119e47
Opcode Fuzzy Hash: ff81770dd443f59aaad096d87265b2213a07554fd23f67cad54e8888223e4bba
Instruction Fuzzy Hash: 25C1D17890434AAFCF11DFA8C845BADBFB0AF0E318F144199E925E7392C7349A45DB61

Function 00CACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CACEB7
_free.LIBCMT ref: 00CACF22
_free.LIBCMT ref: 00CACF48
_free.LIBCMT ref: 00CACF71
_free.LIBCMT ref: 00CACFA9
_free.LIBCMT ref: 00CACFDA
_free.LIBCMT ref: 00CAD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00CAD09C
_free.LIBCMT ref: 00CAD0B5

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 6d3f8e477d861f326c1b034a38de3174901c38119e57de13f19340f5931c7149
Instruction ID: 73f34acc126b499aab21140fc345eb3bb243f487fb6cde3550ffc14eb2c298ec
Opcode Fuzzy Hash: 6d3f8e477d861f326c1b034a38de3174901c38119e57de13f19340f5931c7149
Instruction Fuzzy Hash: 1B615772904313AFDF21AFF89CC5A6A7BA5AF03368F04416DFA65D7281D7319E0197A0

Function 00D050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D05186
ShowWindow.USER32(?,00000000), ref: 00D051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D051D1

Part of subcall function 00D06FBA: DeleteObject.GDI32(00000000), ref: 00D06FE6

GetWindowLongW.USER32(?,000000F0), ref: 00D0520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D0521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D0524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D05287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D05296

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5057472c378c21bb7c4d6386849a5f90fb8da23443a82f2260f8a8bd86dd8646
Instruction ID: 21fb357ca6b133c0676dd1275bead8bfd255f8338217e1de820eaaa7926b49f7
Opcode Fuzzy Hash: 5057472c378c21bb7c4d6386849a5f90fb8da23443a82f2260f8a8bd86dd8646
Instruction Fuzzy Hash: E2518C30A50B08FFEF209F24EC4AB9A3B65EF05325F184111FA1D962E4C771A980DF66

Function 00C88B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00CC6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00CC68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CC68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00CC68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CC68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C88874,00000000,00000000,00000000,000000FF,00000000), ref: 00CC6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CC691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C88874,00000000,00000000,00000000,000000FF,00000000), ref: 00CC692D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 1292bd8e894a2e40ca5aee5da32de2ec08d0dafda58feed40c94ab5e05919721
Instruction ID: 4d12a0387b8d73782a9241837004b1724d4ff8a399608c33c98dc94ac3adbe7f
Opcode Fuzzy Hash: 1292bd8e894a2e40ca5aee5da32de2ec08d0dafda58feed40c94ab5e05919721
Instruction Fuzzy Hash: 3D518874600309AFDB20DF25CC95FAA7BB5EB88754F104618F926D72E0DB70EA90DB60

Function 00CEC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CEC182
GetLastError.KERNEL32 ref: 00CEC195
SetEvent.KERNEL32(?), ref: 00CEC1A9

Part of subcall function 00CEC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CEC272
Part of subcall function 00CEC253: GetLastError.KERNEL32 ref: 00CEC322
Part of subcall function 00CEC253: SetEvent.KERNEL32(?), ref: 00CEC336
Part of subcall function 00CEC253: InternetCloseHandle.WININET(00000000), ref: 00CEC341

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 7bb62e0a5a358e074a4d9a3b67ab2e6f1544ab3381dc6adcf49020e2cf3aef20
Instruction ID: 96ba0b31370fbbdaac28250560d2d74efc3641d057bb37c90dba9459ccf2e811
Opcode Fuzzy Hash: 7bb62e0a5a358e074a4d9a3b67ab2e6f1544ab3381dc6adcf49020e2cf3aef20
Instruction Fuzzy Hash: 22318F71600781AFDB259FB6DC84A6ABBF9FF58300B00451DFA6AC2610D730E916AB60

Function 00CD25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD3A57
Part of subcall function 00CD3A3D: GetCurrentThreadId.KERNEL32 ref: 00CD3A5E
Part of subcall function 00CD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CD25B3), ref: 00CD3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CD25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00CD25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CD2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00CD2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CD2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00CD2627

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 807906e127dfa591fe0294290fd5e2ef632d7645f475d53da22bbb843994d976
Instruction ID: d3354e5b03330d9e91c4972687a8ba3be94ef2812c290221f51b0321704d1dcb
Opcode Fuzzy Hash: 807906e127dfa591fe0294290fd5e2ef632d7645f475d53da22bbb843994d976
Instruction Fuzzy Hash: 4401D830390710BBFB2067699C8AF593F59DB5EB11F501102F31CEF2E1C9E254449ABA

Function 00CD1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00CD1449,?,?,00000000), ref: 00CD180C
HeapAlloc.KERNEL32(00000000,?,00CD1449,?,?,00000000), ref: 00CD1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CD1449,?,?,00000000), ref: 00CD1828
GetCurrentProcess.KERNEL32(?,00000000,?,00CD1449,?,?,00000000), ref: 00CD1830
DuplicateHandle.KERNEL32(00000000,?,00CD1449,?,?,00000000), ref: 00CD1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CD1449,?,?,00000000), ref: 00CD1843
GetCurrentProcess.KERNEL32(00CD1449,00000000,?,00CD1449,?,?,00000000), ref: 00CD184B
DuplicateHandle.KERNEL32(00000000,?,00CD1449,?,?,00000000), ref: 00CD184E
CreateThread.KERNEL32(00000000,00000000,00CD1874,00000000,00000000,00000000), ref: 00CD1868

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1648d5f921a2851fb354d7be6c7d92a72f2871fa8314d6d92c08dbb099a6a3be
Instruction ID: 6774711824d6a75a4995244f023f432c36a277c548588bc252fb1cb4121de06b
Opcode Fuzzy Hash: 1648d5f921a2851fb354d7be6c7d92a72f2871fa8314d6d92c08dbb099a6a3be
Instruction Fuzzy Hash: 3701BF75250304BFE710AB65DC4DF573B6CEB89B11F015515FA05DB291C6709800CB31

Function 00CFA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00CDD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00CDD501
Part of subcall function 00CDD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00CDD50F
Part of subcall function 00CDD4DC: CloseHandle.KERNELBASE(00000000), ref: 00CDD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CFA16D
GetLastError.KERNEL32 ref: 00CFA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CFA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CFA268
GetLastError.KERNEL32(00000000), ref: 00CFA273
CloseHandle.KERNEL32(00000000), ref: 00CFA2C4

Strings

SeDebugPrivilege, xrefs: 00CFA18F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3badc22434880afefe22c9a387dff2b60f67ab088b66671d297cefacd23a14e0
Instruction ID: 810b42675fef3f160e972938a3512c5e8bbb84088eae78efc6c84c4ad1efad41
Opcode Fuzzy Hash: 3badc22434880afefe22c9a387dff2b60f67ab088b66671d297cefacd23a14e0
Instruction Fuzzy Hash: B2617CB1204642AFD720DF19C494F29BBA1AF44318F19C49CE56E8B7A3C772ED45CB92

Function 00D03886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D03925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D0393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D03954
_wcslen.LIBCMT ref: 00D03999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D039F4

Strings

SysListView32, xrefs: 00D038F7

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b0f2c4a01aab14baf856b5ab3d1586fa522de3a41699a53efdabddae95ce16fd
Instruction ID: cab9ab4d75db81ff0c7335023ef6d0e69342f59bb2c9ab7f7e750fdf49f0bc96
Opcode Fuzzy Hash: b0f2c4a01aab14baf856b5ab3d1586fa522de3a41699a53efdabddae95ce16fd
Instruction Fuzzy Hash: F5418271A00319ABEF219F64CC49BEA77ADEF08350F140566F958E72D1D7B1D984CBA0

Function 00CDBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CDBCFD
IsMenu.USER32(00000000), ref: 00CDBD1D
CreatePopupMenu.USER32 ref: 00CDBD53
GetMenuItemCount.USER32(013A5538), ref: 00CDBDA4
InsertMenuItemW.USER32(013A5538,?,00000001,00000030), ref: 00CDBDCC

Strings

2, xrefs: 00CDBD37
0, xrefs: 00CDBCA8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: dc3b515d78712e17f9cbf7b24d50c8804df42e84c601442f4e72aeeb62c28a43
Instruction ID: ca6766ab9d3b943438d283a9a48f785d70887157cdb69d8b7fecc644354380bc
Opcode Fuzzy Hash: dc3b515d78712e17f9cbf7b24d50c8804df42e84c601442f4e72aeeb62c28a43
Instruction Fuzzy Hash: FF51BE70A00305DBDB10CFA9D888BAEBBF6BF49314F15421AE661D7398D770AE40CB61

Function 00CDC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00CDC913

Strings

warning, xrefs: 00CDC8FC
blank, xrefs: 00CDC895
info, xrefs: 00CDC8B4
question, xrefs: 00CDC8CC
stop, xrefs: 00CDC8E4

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ab10ae6c9ce2560bf325fd898df5184d39a12ee8ae2a3c431a0acbf03d8f46f9
Instruction ID: 4aca7d62601861247312b17a7fced5b826e2526d3b71b3821df677c74f867410
Opcode Fuzzy Hash: ab10ae6c9ce2560bf325fd898df5184d39a12ee8ae2a3c431a0acbf03d8f46f9
Instruction Fuzzy Hash: 5011EB31689307BEEB059B559CD3DAA779CDF15364B60402BF604A63C2DBB09E01B274

Function 00CDDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CDDE42
gethostname.WSOCK32(?,00000100), ref: 00CDDE5C
gethostbyname.WSOCK32(?), ref: 00CDDE69
inet_ntoa.WSOCK32(?), ref: 00CDDEAB
_strcat.LIBCMT ref: 00CDDEB9
WSACleanup.WSOCK32 ref: 00CDDEDE

Strings

0.0.0.0, xrefs: 00CDDE87

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: fad090673fe45cddce36e5cfc99d206a6e6310b81857a3f493b6e9762038a124
Instruction ID: 1883681ea9f1329730a9238f714bd0d3b9cbd65d9d8e14e89655361013490cfe
Opcode Fuzzy Hash: fad090673fe45cddce36e5cfc99d206a6e6310b81857a3f493b6e9762038a124
Instruction Fuzzy Hash: 4E110A71904205BFCB247B64DC0AEDE77BCDF50711F0101AAF55AD6291EF70CA819B61

Function 00D09F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

GetSystemMetrics.USER32(0000000F), ref: 00D09FC7
GetSystemMetrics.USER32(0000000F), ref: 00D09FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D0A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D0A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D0A263
ShowWindow.USER32(00000003,00000000), ref: 00D0A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00D0A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D0A2CA

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 6f46d3f05ba94845cfeda62805a54954c9d59e1d35adbbdf1f3e4a4cb3da4de4
Instruction ID: 3aa92a05fe83530024ed5da0089dcf5d2903b92d352a4e0aaa129311456e789b
Opcode Fuzzy Hash: 6f46d3f05ba94845cfeda62805a54954c9d59e1d35adbbdf1f3e4a4cb3da4de4
Instruction Fuzzy Hash: 5CB16735600319AFDF14CF68C9857AE7BB2FF48701F099169EC899B295DB31A940CB62

Function 00CDED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00CDED2A
_wcslen.LIBCMT ref: 00CDED3B
_wcslen.LIBCMT ref: 00CDED79
_wcslen.LIBCMT ref: 00CDEDAF
_wcslen.LIBCMT ref: 00CDEDDF
_wcslen.LIBCMT ref: 00CDEDEF
_wcslen.LIBCMT ref: 00CDEE2B
_wcslen.LIBCMT ref: 00CDEE5A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8a9d53ab61d577533a9c523c240c73e89120d862a8facc5f72bb27e6ceca8b08
Instruction ID: 21da221cad5db9466e4aa711f07ef65d1c0c499d70614c391c6bd2ca33758696
Opcode Fuzzy Hash: 8a9d53ab61d577533a9c523c240c73e89120d862a8facc5f72bb27e6ceca8b08
Instruction Fuzzy Hash: 4E418F75C1061865CF11FBB4C88E9CFB7ACAF45710F508562E618E3262EB34E656C3A5

Function 00C8F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CC682C,00000004,00000000,00000000), ref: 00C8F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00CC682C,00000004,00000000,00000000), ref: 00CCF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CC682C,00000004,00000000,00000000), ref: 00CCF454

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7161461a5eb72ece1529736e0c0bc9ad0ca733dd0f51faec249f5205a912e027
Instruction ID: e5ba439095f0e0175499473e23601b0312a76d05ab0738143ade7ffba0690ff4
Opcode Fuzzy Hash: 7161461a5eb72ece1529736e0c0bc9ad0ca733dd0f51faec249f5205a912e027
Instruction Fuzzy Hash: E0412031514780FBC739AF2DC888B2A7B92AB56318F14453CE09796670C6759983CB25

Function 00D02D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D02D1B
GetDC.USER32(00000000), ref: 00D02D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D02D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D02D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D02D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D02D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D05A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D02DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D02DE1

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e8aa302afd0a2394f17bb4bd1ddffae69afa4a04eca557b9f8b80a8b47fb8acf
Instruction ID: 66d3361b5d417a0827664d91071c844b0b70bfbdbb00d04ef2f6a4626fe78d72
Opcode Fuzzy Hash: e8aa302afd0a2394f17bb4bd1ddffae69afa4a04eca557b9f8b80a8b47fb8acf
Instruction Fuzzy Hash: EF315A72212214ABEB218F508C8AFBB3BA9EB09715F084155FE0CDA2E1D6759C51CBB4

Function 00CD5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CD5637
_memcmp.LIBVCRUNTIME ref: 00CD5659
_memcmp.LIBVCRUNTIME ref: 00CD5671
_memcmp.LIBVCRUNTIME ref: 00CD5684
_memcmp.LIBVCRUNTIME ref: 00CD569E
_memcmp.LIBVCRUNTIME ref: 00CD56B1
_memcmp.LIBVCRUNTIME ref: 00CD56C9
_memcmp.LIBVCRUNTIME ref: 00CD56E4

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ba738563c14ffb6b1476a3f011c2cc1ef61f602b75f1a578fdcd01db2b35c7cb
Instruction ID: a450d6361a7bc1ea568733b08292623a7dd21ef31155aa18a729b49b9a7a412a
Opcode Fuzzy Hash: ba738563c14ffb6b1476a3f011c2cc1ef61f602b75f1a578fdcd01db2b35c7cb
Instruction Fuzzy Hash: 7121DE61744A09BBE61556118D87FFB336CBF10384F680026FF185ABC1F760EE1595B5

Function 00CF4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00CF502E, 00CF5383
Not an Object type, xrefs: 00CF5007

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d0634e0eed5d84131df50adf132833c092f06429ee7ae10e08af2b404977f182
Instruction ID: cbb5240234909266112d16722061e4dba58061d487f5ffc42baec6e10bd679c5
Opcode Fuzzy Hash: d0634e0eed5d84131df50adf132833c092f06429ee7ae10e08af2b404977f182
Instruction Fuzzy Hash: C0D1A171A0060EAFDB54CF58C880BBEB7B5BF48344F148169EB15AB291D770EE45CB61

Function 00CB1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00CB15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00CB1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CB16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00CB16FB

Part of subcall function 00CA3820: RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CB1777
__freea.LIBCMT ref: 00CB17A2
__freea.LIBCMT ref: 00CB17AE

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d77134424cba9f9101b01778eee343c810dc704ace3e8bb51bbfa8b81c8f30aa
Instruction ID: cd1c161a9c5422ab1c9144e29ce3441005d07face1937c390c338b9df44068d2
Opcode Fuzzy Hash: d77134424cba9f9101b01778eee343c810dc704ace3e8bb51bbfa8b81c8f30aa
Instruction Fuzzy Hash: EE91B371E102169ADB208FA5C8A1AEEBBB5DF49310F9C0669FC15E7181DB35DE44CBA0

Function 00CF4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CF4648
VariantInit.OLEAUT32(?), ref: 00CF4749
VariantClear.OLEAUT32(?), ref: 00CF4753
VariantClear.OLEAUT32(?), ref: 00CF47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00CF472C
Null Object assignment in FOR..IN loop, xrefs: 00CF45D8, 00CF4706, 00CF47BE

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ecb38bb149474161b5e74952c968667d48760080bb5cfb1a9f6c44d710380177
Instruction ID: 2956fa8acee412d7200d6aed370fdc40bcc0ee78c8881ecdc0fe1b8ad218337c
Opcode Fuzzy Hash: ecb38bb149474161b5e74952c968667d48760080bb5cfb1a9f6c44d710380177
Instruction Fuzzy Hash: 5491B171A00219ABDF68DFA5C884FBFB7B8EF46714F10851AF615AB280D7709941CFA1

Function 00CE1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00CE125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CE1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00CE12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CE12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CE135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CE13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CE1430

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 3fdef16ce434a814fea7421573cf7f256a674107067c9531e65002d4b11a7b78
Instruction ID: e9fc0c5ed96dc2d9f32267d261a0879f7c93551fd3dff6c64f3bb87c61a4a38a
Opcode Fuzzy Hash: 3fdef16ce434a814fea7421573cf7f256a674107067c9531e65002d4b11a7b78
Instruction Fuzzy Hash: 4E91F271A002589FDB00DFAAC884BBEB7B5FF44325F294029EE10EB291D774E951DB90

Function 00C8948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: cc11d60e0ebb4aae5ff43a63cce1654df8f7a4d3a911151c2e1c54e13970db0d
Instruction ID: 6e4faa7aa756eeb9488e407319bb2a557f57f45bff6a65686991e31d8567a147
Opcode Fuzzy Hash: cc11d60e0ebb4aae5ff43a63cce1654df8f7a4d3a911151c2e1c54e13970db0d
Instruction Fuzzy Hash: 9D912471D00219EFCB10DFA9C884AEEBBB8FF49324F188259E515B7251D374AA42DF64

Function 00CF3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CF396B
CharUpperBuffW.USER32(?,?), ref: 00CF3A7A
_wcslen.LIBCMT ref: 00CF3A8A
VariantClear.OLEAUT32(?), ref: 00CF3C1F

Part of subcall function 00CE0CDF: VariantInit.OLEAUT32(00000000), ref: 00CE0D1F
Part of subcall function 00CE0CDF: VariantCopy.OLEAUT32(?,?), ref: 00CE0D28
Part of subcall function 00CE0CDF: VariantClear.OLEAUT32(?), ref: 00CE0D34

Strings

Incorrect Parameter format, xrefs: 00CF39A6, 00CF3BA1
AUTOIT.ERROR, xrefs: 00CF3A80, 00CF3A85

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: bf5451b5599334d2666597b0b2a755191e577307a06b7a02fe23809ff8517cda
Instruction ID: 928dbc6bbb050cbef550265b3d09a0efe13435a4e5ae91d81220e3f30b6bb540
Opcode Fuzzy Hash: bf5451b5599334d2666597b0b2a755191e577307a06b7a02fe23809ff8517cda
Instruction Fuzzy Hash: B291AA70608349AFC744EF25C48092AB7E4FF88314F14892EF99A9B351DB30EE05DB92

Function 00CF4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00CD000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?,?,00CD035E), ref: 00CD002B
Part of subcall function 00CD000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0046
Part of subcall function 00CD000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0054
Part of subcall function 00CD000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?), ref: 00CD0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CF4C51
_wcslen.LIBCMT ref: 00CF4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CF4DCF
CoTaskMemFree.OLE32(?), ref: 00CF4DDA

Strings

NULL Pointer assignment, xrefs: 00CF4E23, 00CF4E52

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: fea5472dacf09938da3efe722888f4f140fe3256c45217b57d801623c080b0da
Instruction ID: 919db614bf90cd2f77219f06f71bfec5e9d5ec60fc2afec01ac81df82cdf2b14
Opcode Fuzzy Hash: fea5472dacf09938da3efe722888f4f140fe3256c45217b57d801623c080b0da
Instruction Fuzzy Hash: 41910771D0021DAFDF14DFA4C891AEEB7B9FF48310F10816AEA19A7291DB309A45DF61

Function 00D020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D02183
GetMenuItemCount.USER32(00000000), ref: 00D021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D021DD
_wcslen.LIBCMT ref: 00D02213
GetMenuItemID.USER32(?,?), ref: 00D0224D
GetSubMenu.USER32(?,?), ref: 00D0225B

Part of subcall function 00CD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD3A57
Part of subcall function 00CD3A3D: GetCurrentThreadId.KERNEL32 ref: 00CD3A5E
Part of subcall function 00CD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CD25B3), ref: 00CD3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D022E3

Part of subcall function 00CDE97B: Sleep.KERNEL32 ref: 00CDE9F3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 61c27c4f26051ad8b867d7764ebc744ebbddca4da30db91ebf06510876d48098
Instruction ID: a3339145d201b36c5fb7055f0832b33c799b9a987a83515b4d09d239169b5dfd
Opcode Fuzzy Hash: 61c27c4f26051ad8b867d7764ebc744ebbddca4da30db91ebf06510876d48098
Instruction Fuzzy Hash: D7715E75A00205AFCB14EFA4C889BBEB7F5EF48310F148459E95AEB391D734ED419BA0

Function 00D07E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013A5808), ref: 00D07F37
IsWindowEnabled.USER32(013A5808), ref: 00D07F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00D0801E
SendMessageW.USER32(013A5808,000000B0,?,?), ref: 00D08051
IsDlgButtonChecked.USER32(?,?), ref: 00D08089
GetWindowLongW.USER32(013A5808,000000EC), ref: 00D080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D080C3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 614d02da788bfca7d74dcb64156831d6991ffa6b87011944caba3f1ef925c899
Instruction ID: 02a88896b2192169f5afacdaa99c426443f73b20dae0cc9df66b5ce1ad50d897
Opcode Fuzzy Hash: 614d02da788bfca7d74dcb64156831d6991ffa6b87011944caba3f1ef925c899
Instruction Fuzzy Hash: F3715F34A08205AFEF219F55C894FAABBB5EF09350F184459E99D9B3E1CB31B845DB30

Function 00CDAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00CDAEF9
GetKeyboardState.USER32(?), ref: 00CDAF0E
SetKeyboardState.USER32(?), ref: 00CDAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00CDAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00CDAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00CDAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CDB020

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c700f7aacf5b8469275f7b4d416e4a9bf9b8b99f2387121bcb2aa77098da22f8
Instruction ID: c5bc747042bd7d3bb4df61c82bbabfdbc31825f42910ae399813d21db3e86d9e
Opcode Fuzzy Hash: c700f7aacf5b8469275f7b4d416e4a9bf9b8b99f2387121bcb2aa77098da22f8
Instruction Fuzzy Hash: 525103E06047D17DFB3643348845BBBBEE95B06304F08858AE2E9859C2C3D8EEC8D361

Function 00CDACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00CDAD19
GetKeyboardState.USER32(?), ref: 00CDAD2E
SetKeyboardState.USER32(?), ref: 00CDAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CDADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CDADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CDAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CDAE38

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: de9a894ebfd2a2e5c3505cabe12f4291282aa98928ec9bfa0430f56bc054fe7e
Instruction ID: 30c8525ca3f9033bfca1acb7c2e12277aa85b1882a8d240bc5a8a8580d2bd58a
Opcode Fuzzy Hash: de9a894ebfd2a2e5c3505cabe12f4291282aa98928ec9bfa0430f56bc054fe7e
Instruction Fuzzy Hash: 0C510AA15047D53DFB374334CC45B7A7F995B46300F08858AE2E546ED2C394ED94E762

Function 00CA542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00CB3CD6,?,?,?,?,?,?,?,?,00CA5BA3,?,?,00CB3CD6,?,?), ref: 00CA5470
__fassign.LIBCMT ref: 00CA54EB
__fassign.LIBCMT ref: 00CA5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00CB3CD6,00000005,00000000,00000000), ref: 00CA552C
WriteFile.KERNEL32(?,00CB3CD6,00000000,00CA5BA3,00000000,?,?,?,?,?,?,?,?,?,00CA5BA3,?), ref: 00CA554B
WriteFile.KERNEL32(?,?,00000001,00CA5BA3,00000000,?,?,?,?,?,?,?,?,?,00CA5BA3,?), ref: 00CA5584

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ba7d3e1d025a68e16f3faa6338c87ca9841d8923d1b5f5edcb3fb650ee70ded5
Instruction ID: 9122ea5012f1c61369a75eefbbef2e677124e09a634e5dd1df5d785c08bad136
Opcode Fuzzy Hash: ba7d3e1d025a68e16f3faa6338c87ca9841d8923d1b5f5edcb3fb650ee70ded5
Instruction Fuzzy Hash: 1B51A4B1E0074A9FDB10CFA8D845AEEBBF9EF0A304F14815AF955E7291D7309A41CB60

Function 00C92D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C92D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C92D53
_ValidateLocalCookies.LIBCMT ref: 00C92DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C92E0C
_ValidateLocalCookies.LIBCMT ref: 00C92E61

Strings

csm, xrefs: 00C92DF6

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9d857adcc291ab2eeee55581709d522eb61189b2d20165704c67e70c327096b6
Instruction ID: 7904dffadca40f6df57185ab655a15cc9f8e767656925ae24e04b8cb09617062
Opcode Fuzzy Hash: 9d857adcc291ab2eeee55581709d522eb61189b2d20165704c67e70c327096b6
Instruction Fuzzy Hash: 9241C135A01209BBCF10DF68C889A9EBBB5BF44324F148155F864AB392D731AE55CBE0

Function 00CF10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CF307A
Part of subcall function 00CF304E: _wcslen.LIBCMT ref: 00CF309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CF1112
WSAGetLastError.WSOCK32 ref: 00CF1121
WSAGetLastError.WSOCK32 ref: 00CF11C9
closesocket.WSOCK32(00000000), ref: 00CF11F9

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d55257a6ce964c20297840fe1594b881fbf14da654defd9845dddb3ae59b9e55
Instruction ID: eb2ad36d1e9e2d7d5327c90a86c5c31c2c2c343f41adfe158d19d2e916905022
Opcode Fuzzy Hash: d55257a6ce964c20297840fe1594b881fbf14da654defd9845dddb3ae59b9e55
Instruction Fuzzy Hash: A741A231600208EFDB109F64C885BBDB7A9EF45364F18C159FE199B291C771AE41CBA2

Function 00CDCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CDCF22,?), ref: 00CDDDFD

Part of subcall function 00CDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CDCF22,?), ref: 00CDDE16

lstrcmpiW.KERNEL32(?,?), ref: 00CDCF45
MoveFileW.KERNEL32(?,?), ref: 00CDCF7F
_wcslen.LIBCMT ref: 00CDD005
_wcslen.LIBCMT ref: 00CDD01B
SHFileOperationW.SHELL32(?), ref: 00CDD061

Strings

\*.*, xrefs: 00CDCFF3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 319e053c779e4930b64274ac0fa124d09bd28931ee5a524b3ef6449b3411cfad
Instruction ID: ed5e80d70e3f8a5e3489855d7cd4d7d0a1d428063c791c6da047fb8d4d8b0463
Opcode Fuzzy Hash: 319e053c779e4930b64274ac0fa124d09bd28931ee5a524b3ef6449b3411cfad
Instruction Fuzzy Hash: BF4135719452195FDF12EBA4D9C1ADDB7B9AF08380F1000E7E619EB242EB34A748DB50

Function 00D02DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D02E1C
GetWindowLongW.USER32(?,000000F0), ref: 00D02E4F
GetWindowLongW.USER32(?,000000F0), ref: 00D02E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D02EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D02EE0
GetWindowLongW.USER32(?,000000F0), ref: 00D02EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D02F0B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5e80ca54041f7b02c5c0caa61351bbf5ae4644b21426a9068a0ce1082a88214d
Instruction ID: 6f6b9538d46eab6b9e9462182c2c3fdb8685101532cdc5d233e93dfe1497c97f
Opcode Fuzzy Hash: 5e80ca54041f7b02c5c0caa61351bbf5ae4644b21426a9068a0ce1082a88214d
Instruction Fuzzy Hash: 46310538686250AFDB21CF58DC88F6537E5EB4A750F191164FA18CB2F2CB71A880DB61

Function 00CD7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD778F
SysAllocString.OLEAUT32(00000000), ref: 00CD7792
SysAllocString.OLEAUT32(?), ref: 00CD77B0
SysFreeString.OLEAUT32(?), ref: 00CD77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00CD77DE
SysAllocString.OLEAUT32(?), ref: 00CD77EC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ec0926babfc81f734b220a079dde5beef3ec6d2ec14aaa35985a17079e3e71cd
Instruction ID: 12a4aa23c5bfac0de86748b1f1efe006b2bd4bf03f0ade25a919eb64904f4ab9
Opcode Fuzzy Hash: ec0926babfc81f734b220a079dde5beef3ec6d2ec14aaa35985a17079e3e71cd
Instruction Fuzzy Hash: D221A376604219AFDB11DFA8CC84DBB73ECEB09364701862ABA14DB290E670DD41C764

Function 00CD77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD7868
SysAllocString.OLEAUT32(00000000), ref: 00CD786B
SysAllocString.OLEAUT32 ref: 00CD788C
SysFreeString.OLEAUT32 ref: 00CD7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00CD78AF
SysAllocString.OLEAUT32(?), ref: 00CD78BD

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 80abd81ae58f2f619bd744bbc5fe2f267b16c33c9bad02a6ff1baab7f359af5a
Instruction ID: de18d27708a24b3a8d6f53a856b63e52189ef8e241abefbfe727b42db5124bbe
Opcode Fuzzy Hash: 80abd81ae58f2f619bd744bbc5fe2f267b16c33c9bad02a6ff1baab7f359af5a
Instruction Fuzzy Hash: E1217431604204AFDB10AFA8DC89DAA77ECFB097607108226FA15DB3E1E674ED41DB74

Function 00CE04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CE04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CE052E

Strings

nul, xrefs: 00CE0567

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7e43d75a5b5b071be39dc1fb691c8e0bcfbe0f3585c22692db85a01715e4343b
Instruction ID: 2619ef134206a56d1bc5b92285085401f2f06737740f20666b0bfcb93a64a142
Opcode Fuzzy Hash: 7e43d75a5b5b071be39dc1fb691c8e0bcfbe0f3585c22692db85a01715e4343b
Instruction Fuzzy Hash: 52218D71501345AFDB208F2ADC04A9A77B4AF45724F304A19F8B1E62E0D7B0DA80CFA4

Function 00CE05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CE05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CE0601

Strings

nul, xrefs: 00CE0639

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3cf40f152e3655701cb4cf0682d8e4ed967785b8505dfe8a7d20f55cf5c492ab
Instruction ID: 098d735c7b6c658771e2c867f3ae7ce21f822e5a20eb2c299c881d5cc7e8f6b5
Opcode Fuzzy Hash: 3cf40f152e3655701cb4cf0682d8e4ed967785b8505dfe8a7d20f55cf5c492ab
Instruction Fuzzy Hash: A9217F755003459BDB209F6A9C04B9A77A8AF95721F340B19FCB1E72E0D7B099A0CBA4

Function 00D040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C7604C
Part of subcall function 00C7600E: GetStockObject.GDI32(00000011), ref: 00C76060
Part of subcall function 00C7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D04112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D0411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D0412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D04139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D04145

Strings

Msctls_Progress32, xrefs: 00D040E3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 944956232c288fe3e6835bccdbf651cdd566e6071d3588b3ad8e90f56c0b4463
Instruction ID: 059d5d85c145c1268c321a0d40f5a664ce17a7568458a77736350628d972f698
Opcode Fuzzy Hash: 944956232c288fe3e6835bccdbf651cdd566e6071d3588b3ad8e90f56c0b4463
Instruction Fuzzy Hash: 801190B215021DBEEF218F64CC85EE77F6DEF08798F004110BB58A21A0CA729C61DBB4

Function 00CAD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CAD7A3: _free.LIBCMT ref: 00CAD7CC

_free.LIBCMT ref: 00CAD82D

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CAD838
_free.LIBCMT ref: 00CAD843
_free.LIBCMT ref: 00CAD897
_free.LIBCMT ref: 00CAD8A2
_free.LIBCMT ref: 00CAD8AD
_free.LIBCMT ref: 00CAD8B8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 3f49c79b0783b8bd7731d99c1b1bfc0deca6b3a6784e36ce971d980f00ce2bb0
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B3115E71540B19AAD621BFB0CC47FCB7BDCAF02B04F400825B29BE68A2DA65B505A661

Function 00CDDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CDDA74
LoadStringW.USER32(00000000), ref: 00CDDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CDDA91
LoadStringW.USER32(00000000), ref: 00CDDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CDDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CDDAB9

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 6c6d6fd55287fcdd0e71f258e1965b0acc3e7b6b576a4bc24869cfa9b9fcc4d2
Instruction ID: 78ec766aa419bb2d369f5cbd9eba3856fd5f942ebb78eef2e91e743b17a6fc3b
Opcode Fuzzy Hash: 6c6d6fd55287fcdd0e71f258e1965b0acc3e7b6b576a4bc24869cfa9b9fcc4d2
Instruction Fuzzy Hash: 500162F69103087FE7109BA49D89FEB326CE708701F405592B70AE2181E6749E844F75

Function 00CE096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0139E1B8,0139E1B8), ref: 00CE097B
EnterCriticalSection.KERNEL32(0139E198,00000000), ref: 00CE098D
TerminateThread.KERNEL32(?,000001F6), ref: 00CE099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00CE09A9
CloseHandle.KERNEL32(?), ref: 00CE09B8
InterlockedExchange.KERNEL32(0139E1B8,000001F6), ref: 00CE09C8
LeaveCriticalSection.KERNEL32(0139E198), ref: 00CE09CF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 384fd60e5b62262c2a5cba4bedd01ed31c408b3d6ba11ceef832e766c3b02acb
Instruction ID: b3fc06fba45260469dfac61ccc5d40bce4e40bc0cad3f0efd36199d7cd4befaa
Opcode Fuzzy Hash: 384fd60e5b62262c2a5cba4bedd01ed31c408b3d6ba11ceef832e766c3b02acb
Instruction Fuzzy Hash: FCF03C32552B02BBD7415FA4EE8CBD6BB39FF01702F502225F20690DA1C7749565CFA4

Function 00C75D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C75D30
GetWindowRect.USER32(?,?), ref: 00C75D71
ScreenToClient.USER32(?,?), ref: 00C75D99
GetClientRect.USER32(?,?), ref: 00C75ED7
GetWindowRect.USER32(?,?), ref: 00C75EF8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: edda22bc897d98b9970f23b50b02d1c0b755e04a50dc0c9b0c12be4ae3087d83
Instruction ID: 8f65d466c58d7f5f3a32f5c7af7f309fdcf55359ce837ab1a95a78bff1eec692
Opcode Fuzzy Hash: edda22bc897d98b9970f23b50b02d1c0b755e04a50dc0c9b0c12be4ae3087d83
Instruction Fuzzy Hash: D5B17634A00B4ADBDB14CFA9C4807EAB7F1FF58310F14951AE8AAD7290DB34AA51DB50

Function 00CA01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00CA00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA00D6
__allrem.LIBCMT ref: 00CA00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA010B
__allrem.LIBCMT ref: 00CA0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA0140

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 7a0b642fef2eff9d56cd4256c5e02c7c466c416de0e2c218885651ab70ecd7e9
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 0981E672A00B079BEB249F69CC46BAE73E9AF42368F24413EF561D7281E770DA019750

Function 00CF1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00CF101C,00000000,?,?,00000000), ref: 00CF3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CF1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CF1DE1
WSAGetLastError.WSOCK32 ref: 00CF1DF2
inet_ntoa.WSOCK32(?), ref: 00CF1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00CF1EDB
_strlen.LIBCMT ref: 00CF1F35

Part of subcall function 00CD39E8: _strlen.LIBCMT ref: 00CD39F2

Part of subcall function 00C76D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00C8CF58,?,?,?), ref: 00C76DBA
Part of subcall function 00C76D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00C8CF58,?,?,?), ref: 00C76DED

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 89caa89d21fff621904bdc6e9f0b197094aadb31c5f86c38c31153baea990958
Instruction ID: d9b7ad3ae8855b0be611275399fe4d08417ab1e287ea86402d76687fb68e6f90
Opcode Fuzzy Hash: 89caa89d21fff621904bdc6e9f0b197094aadb31c5f86c38c31153baea990958
Instruction Fuzzy Hash: 7AA1C131104344AFC364DF65C895F3A77A5AF84318F58894CF95A9B2A2CB31EE46CB92

Function 00CA61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C982D9,00C982D9,?,?,?,00CA644F,00000001,00000001,8BE85006), ref: 00CA6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CA644F,00000001,00000001,8BE85006,?,?,?), ref: 00CA62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CA63D8
__freea.LIBCMT ref: 00CA63E5

Part of subcall function 00CA3820: RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

__freea.LIBCMT ref: 00CA63EE
__freea.LIBCMT ref: 00CA6413

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d55e05fbe2f576d9c5625b23c422de1d13753029f653c7e45c6f34d6df48f941
Instruction ID: e8d12f660b8364cd6b2b0aaaf235a20c802883a1454de4b0176db2f5e9952052
Opcode Fuzzy Hash: d55e05fbe2f576d9c5625b23c422de1d13753029f653c7e45c6f34d6df48f941
Instruction Fuzzy Hash: B751EF72A00217ABDF258F64CC81EAF7BAAEF46718F184229FD15D6190EB34DD41D6A0

Function 00CFBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFB6AE,?,?), ref: 00CFC9B5
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFC9F1
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA68
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CFBD25
RegCloseKey.ADVAPI32(00000000), ref: 00CFBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CFBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CFBDF3
RegCloseKey.ADVAPI32(?), ref: 00CFBDFF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 1b32f92b28d7287cf17b31842e865665f8fc599795de78515fd5550b8d491a3c
Instruction ID: fe82e159f35a23856bab88f5043380ff51f4510aa04c5ae3b7e6c592f975cd20
Opcode Fuzzy Hash: 1b32f92b28d7287cf17b31842e865665f8fc599795de78515fd5550b8d491a3c
Instruction Fuzzy Hash: 99819C30218245EFD754DF24C881E2ABBE5FF84308F14895CF6598B2A2DB31EE45DB92

Function 00CCF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00CCF7B9
SysAllocString.OLEAUT32(00000001), ref: 00CCF860
VariantCopy.OLEAUT32(00CCFA64,00000000), ref: 00CCF889
VariantClear.OLEAUT32(00CCFA64), ref: 00CCF8AD
VariantCopy.OLEAUT32(00CCFA64,00000000), ref: 00CCF8B1
VariantClear.OLEAUT32(?), ref: 00CCF8BB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 13eeffa815a7fe41d9c3e1671ad6e1fb107f1cd1b3c7818db74400bdfbb6e970
Instruction ID: ecc902fb899e48fd4b62662be3fc753dfa0e92b95303588414d1e8f5ae294bdd
Opcode Fuzzy Hash: 13eeffa815a7fe41d9c3e1671ad6e1fb107f1cd1b3c7818db74400bdfbb6e970
Instruction Fuzzy Hash: 7A51D431610310ABCF24BF66D895F29B3A6EF45310B24946FE906DF291DB709C82D7A7

Function 00CE910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C77620: _wcslen.LIBCMT ref: 00C77625

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00CE94E5
_wcslen.LIBCMT ref: 00CE9506
_wcslen.LIBCMT ref: 00CE952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00CE9585

Strings

X, xrefs: 00CE9412

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 805def1099a29e9ab3ac1aa406895371ed4adaaf27b1705c9fa7bc00eea48363
Instruction ID: 4fffb07c7b329c88517aec552783230f8761ae0c2f9bf45fa8ea07f6d1a75789
Opcode Fuzzy Hash: 805def1099a29e9ab3ac1aa406895371ed4adaaf27b1705c9fa7bc00eea48363
Instruction Fuzzy Hash: 9AE1BF315083419FD724EF25C881A6EB7E4FF85314F14896DF8999B2A2DB31EE05CB92

Function 00C8920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

BeginPaint.USER32(?,?,?), ref: 00C89241
GetWindowRect.USER32(?,?), ref: 00C892A5
ScreenToClient.USER32(?,?), ref: 00C892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C892D3
EndPaint.USER32(?,?,?,?,?), ref: 00C89321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00CC71EA

Part of subcall function 00C89339: BeginPath.GDI32(00000000), ref: 00C89357

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: cf6b0fa9be36d38c360c5198b91de21dd9e642dd15fc21b1ba7074d375d056b3
Instruction ID: 607da9bdd178e400ccdd219e044d0066a12c007da57de84b113637c01e93ad65
Opcode Fuzzy Hash: cf6b0fa9be36d38c360c5198b91de21dd9e642dd15fc21b1ba7074d375d056b3
Instruction Fuzzy Hash: 4B41AC74104300AFD721EF24D884FBA7BA8EB46324F180229F9A9D72F1C7719985DB62

Function 00CE07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CE080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00CE0847
EnterCriticalSection.KERNEL32(?), ref: 00CE0863
LeaveCriticalSection.KERNEL32(?), ref: 00CE08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00CE08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CE0921

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8169df81ec5185707020ce02ebb90ed7112d57c76314110851b9328c937c1dd3
Instruction ID: b12c3abb89ca922570a08ccafadd91fc411ca8c76845fdfc9e4ecf3935b884d5
Opcode Fuzzy Hash: 8169df81ec5185707020ce02ebb90ed7112d57c76314110851b9328c937c1dd3
Instruction Fuzzy Hash: 30417A71900205EFDF14AF64DC85AAA77B8FF44304F2440A9ED04DA297DB70DEA1DBA4

Function 00D081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00CCF3AB,00000000,?,?,00000000,?,00CC682C,00000004,00000000,00000000), ref: 00D0824C
EnableWindow.USER32(?,00000000), ref: 00D08272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D082D1
ShowWindow.USER32(?,00000004), ref: 00D082E5
EnableWindow.USER32(?,00000001), ref: 00D0830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D0832F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b5e88630bbbbec12ecfc4b46680d783499e21c0c204f2b00211dc73fbc2914ef
Instruction ID: e4958abebac269043890da7f465e736d8e74d1cadf356ca22cba8dcd126363d8
Opcode Fuzzy Hash: b5e88630bbbbec12ecfc4b46680d783499e21c0c204f2b00211dc73fbc2914ef
Instruction Fuzzy Hash: C0418338601744AFDF21CF25C899BA47BE0FB4A715F185269E55C8B2E2CB31A841DF74

Function 00CD4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00CD4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CD4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CD4CEA
_wcslen.LIBCMT ref: 00CD4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CD4D10
_wcsstr.LIBVCRUNTIME ref: 00CD4D1A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 850452999c8f717a51940fefc207a60283021eda0a4b50f084d5ebdd69976e6b
Instruction ID: 49abb039091da2d242ea3e990181fdae801d33d9a33af211eaf65bf2ca100767
Opcode Fuzzy Hash: 850452999c8f717a51940fefc207a60283021eda0a4b50f084d5ebdd69976e6b
Instruction Fuzzy Hash: FE210832204204BBEB295B39EC49E7B7B9DDF45750F10813EFA09CA2A1EE71DD4197A0

Function 00CE581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C73A97,?,?,00C72E7F,?,?,?,00000000), ref: 00C73AC2

_wcslen.LIBCMT ref: 00CE587B
CoInitialize.OLE32(00000000), ref: 00CE5995
CoCreateInstance.OLE32(00D0FCF8,00000000,00000001,00D0FB68,?), ref: 00CE59AE
CoUninitialize.OLE32 ref: 00CE59CC

Strings

.lnk, xrefs: 00CE5876, 00CE58C1, 00CE5985

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4ae4e3ef6d0d6b4420e6bacaab924478c49a08a41f23f15243ad4858f24d633c
Instruction ID: 5f9ca23dbc698c69cbeee8f4697ee4d1ad2fa09aa0f7dbdacda1be7bce75087e
Opcode Fuzzy Hash: 4ae4e3ef6d0d6b4420e6bacaab924478c49a08a41f23f15243ad4858f24d633c
Instruction Fuzzy Hash: E1D185716047019FC714DF26C484A2ABBE1FF89718F14895DF8999B362CB31ED46CB92

Function 00CD175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CD0FCA
Part of subcall function 00CD0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CD0FD6
Part of subcall function 00CD0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CD0FE5
Part of subcall function 00CD0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CD0FEC
Part of subcall function 00CD0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CD1002

GetLengthSid.ADVAPI32(?,00000000,00CD1335), ref: 00CD17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CD17BA
HeapAlloc.KERNEL32(00000000), ref: 00CD17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00CD17DA
GetProcessHeap.KERNEL32(00000000,00000000,00CD1335), ref: 00CD17EE
HeapFree.KERNEL32(00000000), ref: 00CD17F5

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 38eaa145ca229016dece84706f348674259b23a7035ef0d6353db0803f3aafff
Instruction ID: cbd8bc3a3f2e66df25a2bea4a5ac409234ed03e4da1f63765eef4f21a5db28b6
Opcode Fuzzy Hash: 38eaa145ca229016dece84706f348674259b23a7035ef0d6353db0803f3aafff
Instruction Fuzzy Hash: 99119A31610305FBDB109FA4CC49BAE7BB9EB45355F19421AF945D7320C735AA40CB60

Function 00CD14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CD14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00CD1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00CD1515
CloseHandle.KERNEL32(00000004), ref: 00CD1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CD154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00CD1563

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3088b5c2554893597885c1bdf31033002dfa743d3ee376a2c4680af95c418e2b
Instruction ID: 7ee84d6e5237c20dbc02bfdf8176c98b0172d15f8dc44855dfbd42e32e26dd6a
Opcode Fuzzy Hash: 3088b5c2554893597885c1bdf31033002dfa743d3ee376a2c4680af95c418e2b
Instruction Fuzzy Hash: 35112972510209BBDF118F98ED49BDE7BA9EF48744F088119FE19A22A0D375CE60DB60

Function 00C93382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C93379,00C92FE5), ref: 00C93390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C9339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C933B7
SetLastError.KERNEL32(00000000,?,00C93379,00C92FE5), ref: 00C93409

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 62506d41d3ec6e1bce042a887d57eed54c1544202318db125dfa1446bddc5dae
Instruction ID: 00e0b56a5c2cd8a6b81594f441f5c76a593eab588080cf9c06ebbe646719f04f
Opcode Fuzzy Hash: 62506d41d3ec6e1bce042a887d57eed54c1544202318db125dfa1446bddc5dae
Instruction Fuzzy Hash: F501283226D391BEEF2827757C8D61B2E54FB057BA3200329F420D02F0EF114E026264

Function 00CA2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CA5686,00CB3CD6,?,00000000,?,00CA5B6A,?,?,?,?,?,00C9E6D1,?,00D38A48), ref: 00CA2D78
_free.LIBCMT ref: 00CA2DAB
_free.LIBCMT ref: 00CA2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C9E6D1,?,00D38A48,00000010,00C74F4A,?,?,00000000,00CB3CD6), ref: 00CA2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C9E6D1,?,00D38A48,00000010,00C74F4A,?,?,00000000,00CB3CD6), ref: 00CA2DEC
_abort.LIBCMT ref: 00CA2DF2

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f48dc523bf17c207300362a1e8c949978ac5d08a09602f58ab2804d5eccad974
Instruction ID: 082534432524de331b52aae58cb4aa906fbe8da5f8d13b2604befc1dce768455
Opcode Fuzzy Hash: f48dc523bf17c207300362a1e8c949978ac5d08a09602f58ab2804d5eccad974
Instruction Fuzzy Hash: D4F0A9319157232BC222273DBC06B5B1665AFC376DB250614F438D22D3EF248901A171

Function 00D08A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C89693
Part of subcall function 00C89639: SelectObject.GDI32(?,00000000), ref: 00C896A2
Part of subcall function 00C89639: BeginPath.GDI32(?), ref: 00C896B9
Part of subcall function 00C89639: SelectObject.GDI32(?,00000000), ref: 00C896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D08A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D08A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D08A70
LineTo.GDI32(?,00000000,00000003), ref: 00D08A80
EndPath.GDI32(?), ref: 00D08A90
StrokePath.GDI32(?), ref: 00D08AA0

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b7254a2ba918ce9a724434fa48094c651e9d1eff84ea9a26d8ea5999fdcbf0c1
Instruction ID: 154ba7e349de1153ef9fb38a29740f94ec907864c1782458c3c1f078402e0aaf
Opcode Fuzzy Hash: b7254a2ba918ce9a724434fa48094c651e9d1eff84ea9a26d8ea5999fdcbf0c1
Instruction Fuzzy Hash: 5D11C976000209FFEB129F94DC88FAA7F6DEB08394F048112FA599A2A1D7719D55DFB0

Function 00CD51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CD5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CD5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CD5230
ReleaseDC.USER32(00000000,00000000), ref: 00CD5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CD524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00CD5261

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: beeef21133320a9cc8e832abc5f09cb254bf8931710e57628ca60fc8cd48dd0b
Instruction ID: d2aece3c9cda9b3ec0ebd7eb23a49d7fa6d8d69a36cc87625e16139e54c98316
Opcode Fuzzy Hash: beeef21133320a9cc8e832abc5f09cb254bf8931710e57628ca60fc8cd48dd0b
Instruction Fuzzy Hash: 67014F75E00718BBEB109BA59C49F5EBFB8EB48751F044166FA08E7391D6709904CBA0

Function 00C71BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C71BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C71BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C71C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C71C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C71C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C71C22

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2e011c15800c06540fdd2798a43918dec3ef6f99330623f8762c0f0a6c70f168
Instruction ID: 2462ed7be34e763f903937b2babda911bb4452220dd1deb198544e046c53cd14
Opcode Fuzzy Hash: 2e011c15800c06540fdd2798a43918dec3ef6f99330623f8762c0f0a6c70f168
Instruction Fuzzy Hash: EF016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 00CDEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CDEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CDEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00CDEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CDEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CDEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CDEB75

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e06d4ba0e3a9a7a5be55823dfa56a86911f55acd40a9f159bb6752a894c18240
Instruction ID: 8bd131eac2a2b89198c887c5e5e182cdc65ee8acf26f2c66d8b429f6ea3d8801
Opcode Fuzzy Hash: e06d4ba0e3a9a7a5be55823dfa56a86911f55acd40a9f159bb6752a894c18240
Instruction Fuzzy Hash: 9AF09A72210318BBE7206B629C0EFEF3A7CEFCAB11F001259F605D12A0D7A11A01CAB5

Function 00CC7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00CC7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00CC7469
GetWindowDC.USER32(?), ref: 00CC7475
GetPixel.GDI32(00000000,?,?), ref: 00CC7484
ReleaseDC.USER32(?,00000000), ref: 00CC7496
GetSysColor.USER32(00000005), ref: 00CC74B0

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 407f27f3ed0844592e7479c03f6f789be4286edcf88ba791e23d701c97a2d978
Instruction ID: 82bc42ea0ce0b736623a0028a9d3c2759b9e1a25d309eadc4421e7fbb88918b7
Opcode Fuzzy Hash: 407f27f3ed0844592e7479c03f6f789be4286edcf88ba791e23d701c97a2d978
Instruction Fuzzy Hash: 3B012831410615EFDB619F64DC08BAA7BB5FB04321F551264FA29E22A1CB311E51AF61

Function 00CD1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CD187F
UnloadUserProfile.USERENV(?,?), ref: 00CD188B
CloseHandle.KERNEL32(?), ref: 00CD1894
CloseHandle.KERNEL32(?), ref: 00CD189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CD18A5
HeapFree.KERNEL32(00000000), ref: 00CD18AC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9f707e86e6ac8b3baa4f2a63e2bad312f573cb8f03dfde3769fbb936eae4c656
Instruction ID: 8ebd31ec4dcf5b0aae42111e0c14b65de43e8bb4f9a5d31bf8bba2eabba746c6
Opcode Fuzzy Hash: 9f707e86e6ac8b3baa4f2a63e2bad312f573cb8f03dfde3769fbb936eae4c656
Instruction Fuzzy Hash: 79E0ED36124301BBD7015FA1ED0CA05BF39FF597217109324F229C1270CB325420DF61

Function 00CDC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C77620: _wcslen.LIBCMT ref: 00C77625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CDC6EE
_wcslen.LIBCMT ref: 00CDC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CDC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CDC7CA

Strings

0, xrefs: 00CDC6AF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ae03a916a5b0d20606025d66e89fa080ece4656d4629d078570d56c6267a14c9
Instruction ID: 7cdd15fe34f2894141b16ec670e28aee5e96db6570d3a6af5e925b3d821fa53c
Opcode Fuzzy Hash: ae03a916a5b0d20606025d66e89fa080ece4656d4629d078570d56c6267a14c9
Instruction Fuzzy Hash: D651A0716143029BD714AF28C8C5B6AB7E8AF45314F050A2EFAA5D23D0DB70DA45DB52

Function 00CFAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CFAEA3

Part of subcall function 00C77620: _wcslen.LIBCMT ref: 00C77625

GetProcessId.KERNEL32(00000000), ref: 00CFAF38
CloseHandle.KERNEL32(00000000), ref: 00CFAF67

Strings

@, xrefs: 00CFAE72
<, xrefs: 00CFAE6B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c33d25aad29fb4a950db52b221a7795fc72d03164165502c5e73544e766776a2
Instruction ID: b4dd5c55830fa733f1df0969b5cb03071d80f4db1a5e6d0e95c95a48aaf6a409
Opcode Fuzzy Hash: c33d25aad29fb4a950db52b221a7795fc72d03164165502c5e73544e766776a2
Instruction Fuzzy Hash: 5C717D71A00219DFCB14DF94C484AAEBBF0FF08314F148499E91AAB362C774EE41DB92

Function 00CD719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CD7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CD723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CD724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CD72CF

Strings

DllGetClassObject, xrefs: 00CD7242

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1d8e0435fab50e2a5b9f1c48409c69f57ac07c0eb14bac5476128c40bf8295ba
Instruction ID: bb6bf52e49ec36db1828676ce3689e3d1009e7c03fc0d12d1d83e9e101f490e9
Opcode Fuzzy Hash: 1d8e0435fab50e2a5b9f1c48409c69f57ac07c0eb14bac5476128c40bf8295ba
Instruction Fuzzy Hash: B8416171604204EFDB15CF54C884B9A7BA9EF44310F1482AEBE09DF34AE7B5DA45DBA0

Function 00D03D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D03E35
IsMenu.USER32(?), ref: 00D03E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D03E92
DrawMenuBar.USER32 ref: 00D03EA5

Strings

0, xrefs: 00D03D89

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: d034f6f616961b1c00512d7af5e92224d1537d9b2e341ca423d31cbc22be60ee
Instruction ID: 9012d42be3bdbb1dee7632f1a7300d3991ff9489d544b99ffd502fe0cb574bba
Opcode Fuzzy Hash: d034f6f616961b1c00512d7af5e92224d1537d9b2e341ca423d31cbc22be60ee
Instruction Fuzzy Hash: D64149B9A11249AFDB10DF50D884AEABBB9FF49350F084229F91997390D730EE44CF60

Function 00CD1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CD1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CD1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00CD1EA9

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

Strings

ListBox, xrefs: 00CD1E25
ComboBox, xrefs: 00CD1DF0

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: c2bd9a07b486ecbb4af346d2f2345dda90bf1bee0b49c479f5d1613f85be1fcc
Instruction ID: b0439533a61abc6bc809d8699d1fd2cec2519845ef4e8cd4ed8a7f624264ca15
Opcode Fuzzy Hash: c2bd9a07b486ecbb4af346d2f2345dda90bf1bee0b49c479f5d1613f85be1fcc
Instruction Fuzzy Hash: 79214971A00104BFDB14AB60DC4ADFFB7B8DF42354F14411AFD29A36E1DB344A0AA630

Function 00CFC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CFC9F1
_wcslen.LIBCMT ref: 00CFCA68
_wcslen.LIBCMT ref: 00CFCA9E
_wcslen.LIBCMT ref: 00CFCAF9
_wcslen.LIBCMT ref: 00CFCB2F
_wcslen.LIBCMT ref: 00CFCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00CFCA62, 00CFCA67
HKLM, xrefs: 00CFCA98, 00CFCA9D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 526f0e6285237c0045600e187b1c0d33ad2d1d53ba09ff6adb0ffb234377397f
Instruction ID: 1476d428e4732aaf89fa326880f34a87a571b7c4bec4211200b674f908ef3072
Opcode Fuzzy Hash: 526f0e6285237c0045600e187b1c0d33ad2d1d53ba09ff6adb0ffb234377397f
Instruction Fuzzy Hash: 54313673B0056D4BCB60DF2DCAD14BE33919BA1740F054029E925AB344EA71EF40F3A2

Function 00D02F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D02F8D
LoadLibraryW.KERNEL32(?), ref: 00D02F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D02FA9
DestroyWindow.USER32(?), ref: 00D02FB1

Strings

SysAnimate32, xrefs: 00D02F68

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d082f78dfeb4a15c075437e30688b0131a224708dc5ebdda675c44b32d9336e8
Instruction ID: 0f2f283ce7d6cee3eed26e3e8aa31ebbfb8061b1f6bf3037ce50a79d367ff7bd
Opcode Fuzzy Hash: d082f78dfeb4a15c075437e30688b0131a224708dc5ebdda675c44b32d9336e8
Instruction Fuzzy Hash: F821CA7120120AABEB214F66DC88FBB7BB9EF593A4F140218FA58D21E0C771DC819770

Function 00C94D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C94D1E,00CA28E9,?,00C94CBE,00CA28E9,00D388B8,0000000C,00C94E15,00CA28E9,00000002), ref: 00C94D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C94DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C94D1E,00CA28E9,?,00C94CBE,00CA28E9,00D388B8,0000000C,00C94E15,00CA28E9,00000002,00000000), ref: 00C94DC3

Strings

CorExitProcess, xrefs: 00C94D98
mscoree.dll, xrefs: 00C94D86

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f4dce6fc0aa02ead331b6ed64e4f744aadc075b0278605297290378d07ecd113
Instruction ID: 3158db6a95e8b26a608b5316d85f496b78e3e32e563ec44825088e6d05727041
Opcode Fuzzy Hash: f4dce6fc0aa02ead331b6ed64e4f744aadc075b0278605297290378d07ecd113
Instruction Fuzzy Hash: EEF03C35A50308BBDB159F90DC49BEDBFA5EB44752F0401A4B809E22A0DB705A85DBA1

Function 00CCD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00CCD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CCD3BF
FreeLibrary.KERNEL32(00000000), ref: 00CCD3E5

Strings

X64, xrefs: 00CCD2A8
GetSystemWow64DirectoryW, xrefs: 00CCD3B9

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: ef41784f567aa22f75214bc8df5b582c9a3e95fb178b1de643452c4cac87d358
Instruction ID: 1fcfc701d358c8f26a3e29c5e6a4744fb977868b36d60e8ab9f1f2cabe1d21aa
Opcode Fuzzy Hash: ef41784f567aa22f75214bc8df5b582c9a3e95fb178b1de643452c4cac87d358
Instruction Fuzzy Hash: 54F05C70915B519BD7312711CC58F6E77209F11701F59927CF40BE22A0C760CE4087A3

Function 00C74E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C74EDD,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C74EAE
FreeLibrary.KERNEL32(00000000,?,?,00C74EDD,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74EC0

Strings

kernel32.dll, xrefs: 00C74E94
Wow64DisableWow64FsRedirection, xrefs: 00C74EA8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d2e22dcac22d0ea0106cda9e222644d277e54ec5c3629f553690713f47a8a31a
Instruction ID: e8fe35077e2013e2555c38c8ab60194fa541328478b18123350ad8881a7bd088
Opcode Fuzzy Hash: d2e22dcac22d0ea0106cda9e222644d277e54ec5c3629f553690713f47a8a31a
Instruction Fuzzy Hash: ABE0C236A127225FD2321B25AC18B6FB658EF82F72B054215FC0CE2380DBE4CE0580F2

Function 00C74E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB3CDE,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C74E74
FreeLibrary.KERNEL32(00000000,?,?,00CB3CDE,?,00D41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C74E87

Strings

kernel32.dll, xrefs: 00C74E5B
Wow64RevertWow64FsRedirection, xrefs: 00C74E6E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 39bf2c69ca4c8703b75f39fe3aadb0bd0ef940636d2aa2c8d0c16ff7fba1436f
Instruction ID: a8b086ac86acd1ffba626ffcc1c0871319c6598572359272ab29aab5b4dd166e
Opcode Fuzzy Hash: 39bf2c69ca4c8703b75f39fe3aadb0bd0ef940636d2aa2c8d0c16ff7fba1436f
Instruction Fuzzy Hash: 3BD012365127215BD6261B266C18F8BAA1CEF85B613056715B91DE2254CFA4CE0186F1

Function 00CE2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE2C05
DeleteFileW.KERNEL32(?), ref: 00CE2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CE2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE2CC0

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 66da3a6747f0d1e201ccdd6c995975e6f76efe137efcd21e2ca918f97837036b
Instruction ID: 6dd4f75559cac244ca920c8eabb0b69d1685c5d61eddd3e760d5f0d4993ae2f5
Opcode Fuzzy Hash: 66da3a6747f0d1e201ccdd6c995975e6f76efe137efcd21e2ca918f97837036b
Instruction Fuzzy Hash: 60B14C72A00219ABDF21EBA5CC85EDEB7BDEF48350F1040A6F609E7141EA719A449F61

Function 00CFA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CFA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CFA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CFA468
CloseHandle.KERNEL32(?), ref: 00CFA63D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: b10244654b128b958ed4cbe3613d5cc60e09a42e36707b1938d04d721e93d1b7
Instruction ID: 639cec1b7e8559288a493c8a718df4c51ac3352082d78244f692cf269b43b066
Opcode Fuzzy Hash: b10244654b128b958ed4cbe3613d5cc60e09a42e36707b1938d04d721e93d1b7
Instruction Fuzzy Hash: BCA190B16047019FD760DF28C886F2AB7E5AF84714F14881DFA6ADB392D770ED418B92

Function 00CDE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CDCF22,?), ref: 00CDDDFD

Part of subcall function 00CDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CDCF22,?), ref: 00CDDE16

Part of subcall function 00CDE199: GetFileAttributesW.KERNEL32(?,00CDCF95), ref: 00CDE19A

lstrcmpiW.KERNEL32(?,?), ref: 00CDE473
MoveFileW.KERNEL32(?,?), ref: 00CDE4AC
_wcslen.LIBCMT ref: 00CDE5EB
_wcslen.LIBCMT ref: 00CDE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00CDE650

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 59a25ca36e698ee6a7d91960a451f5cd260ab8751115bbbf6512adc25aa243b6
Instruction ID: 5608c6c293bf3310deca2c45d969f9389b0840c1d6c1c577e1f7fd942a094ca8
Opcode Fuzzy Hash: 59a25ca36e698ee6a7d91960a451f5cd260ab8751115bbbf6512adc25aa243b6
Instruction Fuzzy Hash: B85180B25087455BCB24EB90D881ADF73ECAF84340F00491FF699D7291EF34A6889766

Function 00CFB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFB6AE,?,?), ref: 00CFC9B5
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFC9F1
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA68
Part of subcall function 00CFC998: _wcslen.LIBCMT ref: 00CFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CFBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CFBB63
RegCloseKey.ADVAPI32(?,?), ref: 00CFBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00CFBBB3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f4c10d9cef9c3e142afb81b819525366a98e9715a85abdd84b95fc430da78ba0
Instruction ID: b4bb43f19554c17fea793165d3cf171269a954af9a946302d33f79c3537f2a92
Opcode Fuzzy Hash: f4c10d9cef9c3e142afb81b819525366a98e9715a85abdd84b95fc430da78ba0
Instruction Fuzzy Hash: 6A619D31208245AFD754DF24C891E3ABBE5FF84308F14899CF5998B2A2DB31ED45DB92

Function 00CD8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CD8BCD
VariantClear.OLEAUT32 ref: 00CD8C3E
VariantClear.OLEAUT32 ref: 00CD8C9D
VariantClear.OLEAUT32(?), ref: 00CD8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CD8D3B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e07e1766432ec0835b5e33deba2eb77c9475149d9d05ce0ef53e1469a219b1fd
Instruction ID: e9bc86561df6e4d8e0632870242f51fb4ed2c05e5dc8d074d99db4792f2738b1
Opcode Fuzzy Hash: e07e1766432ec0835b5e33deba2eb77c9475149d9d05ce0ef53e1469a219b1fd
Instruction Fuzzy Hash: CA516DB5A1021AEFCB14CF58C894AAAB7F5FF89310B15855AF919DB350E730E911CFA0

Function 00CE8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CE8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00CE8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CE8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CE8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CE8C5F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f06730e08b6b39ea17380eef0f63258b5eed254c6d01e27468aef8731d19baf3
Instruction ID: fe3c05c4c68c646b6b8b8369e29698b544ace345c4cda98863547fd66ce1ea04
Opcode Fuzzy Hash: f06730e08b6b39ea17380eef0f63258b5eed254c6d01e27468aef8731d19baf3
Instruction Fuzzy Hash: 4F513835A002199FCB05DF65C881A69BBF5FF49314F18C058E84DAB3A2CB31ED51DBA0

Function 00CF8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CF8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00CF8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CF8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00CF9032
FreeLibrary.KERNEL32(00000000), ref: 00CF9052

Part of subcall function 00C8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CE1043,?,753CE610), ref: 00C8F6E6
Part of subcall function 00C8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00CCFA64,00000000,00000000,?,?,00CE1043,?,753CE610,?,00CCFA64), ref: 00C8F70D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 899b0a90144d5ab9a0daf4167f99af166251953f8191d34b036d31c08d8057e0
Instruction ID: ea92d8f632f553c89435d60c3fe60399b7f17a9f9b0dd650d161fbc4eaa0d81e
Opcode Fuzzy Hash: 899b0a90144d5ab9a0daf4167f99af166251953f8191d34b036d31c08d8057e0
Instruction Fuzzy Hash: 8D515D34600209DFCB55DF58C495DADBBF1FF49314B0481A8E91A9B362DB31EE86CB92

Function 00D06B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D06C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D06C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D06C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00CEAB79,00000000,00000000), ref: 00D06C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D06CC7

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a4418f04b7fc9888e97390f1e345540ab370ec8138581a42fa888d1ea94231bf
Instruction ID: 8ff452a96b22660a7a4901f1436f96be38e39b4afc1b6277eedca999d2cb6cb1
Opcode Fuzzy Hash: a4418f04b7fc9888e97390f1e345540ab370ec8138581a42fa888d1ea94231bf
Instruction Fuzzy Hash: 56418035A04204AFE724CF28CC59BA97FA5EB09350F190268F99DE73E0C771ED61DA64

Function 00CA2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CA20C3
_free.LIBCMT ref: 00CA20E3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5afe0621dbb8439a79171e287fd9584f54a44bc4be783580cd48b25eaf0df973
Instruction ID: 0cdad9ebde6fcb4ff23448c1ddb3168589c04fc2c119872bd07ffa83248d7427
Opcode Fuzzy Hash: 5afe0621dbb8439a79171e287fd9584f54a44bc4be783580cd48b25eaf0df973
Instruction Fuzzy Hash: 6841F372A002119FCB24DF7CC880A5EB7F5EF8A318F154569E615EB392D731AE01DB80

Function 00C8912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C89141
ScreenToClient.USER32(00000000,?), ref: 00C8915E
GetAsyncKeyState.USER32(00000001), ref: 00C89183
GetAsyncKeyState.USER32(00000002), ref: 00C8919D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d5cee629e1958eb47fb5da0d8a22f63ee7f655ebca2a1e9d764e766afea55602
Instruction ID: ee550a4a4550d58c4daa10d78dfe271681e6dc959511ca68957f42d48d1216de
Opcode Fuzzy Hash: d5cee629e1958eb47fb5da0d8a22f63ee7f655ebca2a1e9d764e766afea55602
Instruction Fuzzy Hash: B8416F31A0860ABBDF15AF65C848BFEB774FB05324F248319E429A32D0C7746A50DFA5

Function 00CE3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CE38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CE3922
TranslateMessage.USER32(?), ref: 00CE394B
DispatchMessageW.USER32(?), ref: 00CE3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE3966

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d67d6ae06bc68e1b19f3f8e6aea6f9194002bac2ae76a4faeb5a37cfeba67046
Instruction ID: 3e8b3b2426dc3b817de9fcc94292cdd43c92341b0049507328202fd855052b0a
Opcode Fuzzy Hash: d67d6ae06bc68e1b19f3f8e6aea6f9194002bac2ae76a4faeb5a37cfeba67046
Instruction Fuzzy Hash: F13182745043C1ABEB35CF36984DBB637A8AB46304F040569E476C72A1E3A4BB85CB31

Function 00CECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00CEC21E,00000000), ref: 00CECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00CECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00CEC21E,00000000), ref: 00CECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CEC21E,00000000), ref: 00CECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CEC21E,00000000), ref: 00CECFF2

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: f7f1ffc9664faab9f391d91042c81a050dffd44e416a3d9d471072f10c4fc34c
Instruction ID: 3639f7ccc44cb4f156cb9e3ca983cd15c4c16c5055399cb3a8f2a5482addfdd9
Opcode Fuzzy Hash: f7f1ffc9664faab9f391d91042c81a050dffd44e416a3d9d471072f10c4fc34c
Instruction Fuzzy Hash: 3E312C71604345EFDB20DFE6C8C4AABBBF9EF14355B10452EF51AD2251DB30AE429B60

Function 00CD1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CD1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00CD19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00CD19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00CD19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00CD19E2

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d046151bf67228831ad70e091dade678f095f7c94d2966a222bac0f81b15c057
Instruction ID: 77233eec10675a9011b737c9c21372035982b0b28622d2d6a761e8c5450ac650
Opcode Fuzzy Hash: d046151bf67228831ad70e091dade678f095f7c94d2966a222bac0f81b15c057
Instruction Fuzzy Hash: D0319071A10219EFCB10CFA8C999ADE7BB5EB04315F144326FE25E72D1C7709A44CB91

Function 00D05706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D05745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D0579D
_wcslen.LIBCMT ref: 00D057AF
_wcslen.LIBCMT ref: 00D057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D05816

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: bd99105c84d1067c0b31f487c146cbaad93dbed84d17d1f648b095bd077d0b7c
Instruction ID: f345b1b4eae902cc9ea616bfb89da62030653a6024cf0dbbc8dbf1015008bdd3
Opcode Fuzzy Hash: bd99105c84d1067c0b31f487c146cbaad93dbed84d17d1f648b095bd077d0b7c
Instruction Fuzzy Hash: 0C218035904618AADB208F60EC84BEE77BCFB45320F148216ED1DEA1C4D7B0C985CF60

Function 00CF0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CF0951
GetForegroundWindow.USER32 ref: 00CF0968
GetDC.USER32(00000000), ref: 00CF09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00CF09B0
ReleaseDC.USER32(00000000,00000003), ref: 00CF09E8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ed8f3780a5e1a4cb868060cb403665c5d8cdbe71d62ff716aec913c91f9b6e77
Instruction ID: 86dc7c52d8ea50913a7d953f7ef27dfacca3c753aff1438e60c4bbb3569f410c
Opcode Fuzzy Hash: ed8f3780a5e1a4cb868060cb403665c5d8cdbe71d62ff716aec913c91f9b6e77
Instruction Fuzzy Hash: D0218E35600204AFD754EF69C889AAEBBF9EF48700F148168F94AD7362DB70AD04DB60

Function 00CACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CACDE9

Part of subcall function 00CA3820: RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CACE0F
_free.LIBCMT ref: 00CACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CACE31

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 94fbc880f2452a1446cfd19d661790b539775d22796f2834f251bbf12116878a
Instruction ID: 097d89ca8a017620bd69690d978f28251e80ea772f01cf79d3eb70e04a3b3419
Opcode Fuzzy Hash: 94fbc880f2452a1446cfd19d661790b539775d22796f2834f251bbf12116878a
Instruction Fuzzy Hash: 5901D4726013167F672117BA6CCCD7B696DDFC7BA93150229F915D7201EA608E0192F0

Function 00C89639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C89693
SelectObject.GDI32(?,00000000), ref: 00C896A2
BeginPath.GDI32(?), ref: 00C896B9
SelectObject.GDI32(?,00000000), ref: 00C896E2

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 64fee9d5870ad45b164ba82b2810d2bc6346aa563a9d02c5db4feea74a8c9238
Instruction ID: 5d52bb34eb9ba6b343f89d64210eea72f1cb0ab2b0b49192ac0572b0794b664b
Opcode Fuzzy Hash: 64fee9d5870ad45b164ba82b2810d2bc6346aa563a9d02c5db4feea74a8c9238
Instruction Fuzzy Hash: 9A214F38812305EBDB11AF65DC14BB93BA8FB51369F184316F434E62B0E3709991CFA8

Function 00CD5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CD5726
_memcmp.LIBVCRUNTIME ref: 00CD5744
_memcmp.LIBVCRUNTIME ref: 00CD5757
_memcmp.LIBVCRUNTIME ref: 00CD576F
_memcmp.LIBVCRUNTIME ref: 00CD5787

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 35339e47506a64547733347814dfd472ccb9ca65f4b528e93d609eb6da921c08
Instruction ID: 35d2a8e4232e8dfa42ab27df441a4da2081c15ed882fd52b23cf9379fc29d5dc
Opcode Fuzzy Hash: 35339e47506a64547733347814dfd472ccb9ca65f4b528e93d609eb6da921c08
Instruction Fuzzy Hash: 7F01D2A125160AFEE61856119D87FBA735CAB21394B250022FE189A781F760EE1486B0

Function 00CA2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C9F2DE,00CA3863,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6), ref: 00CA2DFD
_free.LIBCMT ref: 00CA2E32
_free.LIBCMT ref: 00CA2E59
SetLastError.KERNEL32(00000000,00C71129), ref: 00CA2E66
SetLastError.KERNEL32(00000000,00C71129), ref: 00CA2E6F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 251f113722781c204583ba13fb78d6be88cdd229eb5dbf2988af8c9e5f70bf1a
Instruction ID: fa03986b7143d00b377e94b9efa177a30f1633bf1b97838f0878ec0441f3ee5a
Opcode Fuzzy Hash: 251f113722781c204583ba13fb78d6be88cdd229eb5dbf2988af8c9e5f70bf1a
Instruction Fuzzy Hash: 6801F4322157236BC612673D6C46E6B2669ABD37BEB200228F435E2393EB74CD416130

Function 00CD000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?,?,00CD035E), ref: 00CD002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?), ref: 00CD0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CCFF41,80070057,?,?), ref: 00CD0070

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 95b3433e294c1d04af2c4c54925f2e0b112e70f1f25030c3c1fae5cb9213b86b
Instruction ID: 0d023530a1a4445cc2c7938ab7f747bd85d654bb3c0304ec868331a96c29b975
Opcode Fuzzy Hash: 95b3433e294c1d04af2c4c54925f2e0b112e70f1f25030c3c1fae5cb9213b86b
Instruction Fuzzy Hash: 7201A272610304BFDB105F69DC08BAA7EEDEF88752F249225FA09D2310D771EE408BA0

Function 00CDE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00CDE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00CDE9A5
Sleep.KERNEL32(00000000), ref: 00CDE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00CDE9B7
Sleep.KERNEL32 ref: 00CDE9F3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 33692dfab515682c5d93e0fddc270e1428b4cf9be0abe431b402ee78220d8df6
Instruction ID: b4ff153ba1dc26d1b4c35d21c2bbce18c5e3da6d17e0428bbc0cad8f163c5800
Opcode Fuzzy Hash: 33692dfab515682c5d93e0fddc270e1428b4cf9be0abe431b402ee78220d8df6
Instruction Fuzzy Hash: A6011B31D02629DBCF00ABE5D9696DDBBB8BB09701F000656E616B6341CB30965587A2

Function 00CD10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CD0B9B,?,?,?), ref: 00CD1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD114D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cbb12505b1670d56b5745b801bc9a2eba4c44bbf6d1d2b8096bc49d34c8af760
Instruction ID: 8e86d5ca8f894fb2c3a0218b679531b69d059da45e027a30213d2c99d492ac73
Opcode Fuzzy Hash: cbb12505b1670d56b5745b801bc9a2eba4c44bbf6d1d2b8096bc49d34c8af760
Instruction Fuzzy Hash: 1D011479210305BFEB114FA5DC49B6A3B7EEF893A0B245529FA49D7360DA31DD009A70

Function 00CD0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CD0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CD0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CD0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CD0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CD1002

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e5e6ab64e0e47aadf877cf195659f32728b0c472a914163a08ba84f98cf987d5
Instruction ID: b9266dbca13e31316d79c700edb0c3f51a95a0dc9ddc16dd279ffd186ab1449b
Opcode Fuzzy Hash: e5e6ab64e0e47aadf877cf195659f32728b0c472a914163a08ba84f98cf987d5
Instruction Fuzzy Hash: F0F04935210301BFDB215FA4AC4AF563BADEF89762F144515FA49C6391CA70EC408A70

Function 00CD1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CD102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1062

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 49b72eb4b726fd5e55ee6a4c9c03910200e86ac50dc2d70430c9b08501ab8844
Instruction ID: 062c50bfc0f59503467f28adfd242723e4e8c3507e53a9419bbd4ec479db003d
Opcode Fuzzy Hash: 49b72eb4b726fd5e55ee6a4c9c03910200e86ac50dc2d70430c9b08501ab8844
Instruction Fuzzy Hash: 80F04935210301BBDB216FA4EC49F563BADEF89761F140515FA49C6350CA70E9408A70

Function 00CE030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE0324
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE0331
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE033E
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE034B
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE0358
CloseHandle.KERNEL32(?,?,?,?,00CE017D,?,00CE32FC,?,00000001,00CB2592,?), ref: 00CE0365

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 685394f47158563831d9c46e302b72a1f7f65e0983f6500abc9cae76dddacd4e
Instruction ID: afe1ef9442c00c42f2851ee8043f5f89a95c3fbd98a5ca75e11492fcc744e8d1
Opcode Fuzzy Hash: 685394f47158563831d9c46e302b72a1f7f65e0983f6500abc9cae76dddacd4e
Instruction Fuzzy Hash: 4801A272800B559FC7309F66D880412F7F5BF503153258A3FD1A652931C3B1AA94CF80

Function 00CAD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CAD752

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CAD764
_free.LIBCMT ref: 00CAD776
_free.LIBCMT ref: 00CAD788
_free.LIBCMT ref: 00CAD79A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80db3da6393626455b1f013675e5be6591aeb766d6ac84f3f7aaa2cf054fc23c
Instruction ID: 65a73a0925e8f252e720cb8fc8b6c1d5d611baacb094a7e952ba36c90c5d51a0
Opcode Fuzzy Hash: 80db3da6393626455b1f013675e5be6591aeb766d6ac84f3f7aaa2cf054fc23c
Instruction Fuzzy Hash: C6F0AF3211031AAF8264EB28F8C1C1B37DDBB06718B950805F01AE3A05C720FD808B70

Function 00CD5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00CD5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00CD5C6F
MessageBeep.USER32(00000000), ref: 00CD5C87
KillTimer.USER32(?,0000040A), ref: 00CD5CA3
EndDialog.USER32(?,00000001), ref: 00CD5CBD

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 59dd8a5c90139a7242cbea1c35c0684a4bbca861b1a97e10c6a023d7a3994e0f
Instruction ID: f849b36baa14d249fef69afe05b59a4bb129b325b0504fa6e2777eb641675e64
Opcode Fuzzy Hash: 59dd8a5c90139a7242cbea1c35c0684a4bbca861b1a97e10c6a023d7a3994e0f
Instruction Fuzzy Hash: 3A01DB30510B049BEB305B10DD4EFA577B8BB44741F04125AA657A11E1DBF15A448A50

Function 00CA22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CA22BE

Part of subcall function 00CA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000), ref: 00CA29DE
Part of subcall function 00CA29C8: GetLastError.KERNEL32(00000000,?,00CAD7D1,00000000,00000000,00000000,00000000,?,00CAD7F8,00000000,00000007,00000000,?,00CADBF5,00000000,00000000), ref: 00CA29F0

_free.LIBCMT ref: 00CA22D0
_free.LIBCMT ref: 00CA22E3
_free.LIBCMT ref: 00CA22F4
_free.LIBCMT ref: 00CA2305

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 43b2a82a758274c75de4b931c71271498ae176eecbcebf978969b5eb44e78ed5
Instruction ID: 36214ecdfcb06886bd3ed8566b83ccff0ef2c3ea201b89e61736584d4e46569b
Opcode Fuzzy Hash: 43b2a82a758274c75de4b931c71271498ae176eecbcebf978969b5eb44e78ed5
Instruction Fuzzy Hash: 6FF03A7C8103328F8756AF78BC428093F64BB1BB65B04161AF610E23B1C7300A51BBF9

Function 00C895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C895D4
StrokeAndFillPath.GDI32(?,?,00CC71F7,00000000,?,?,?), ref: 00C895F0
SelectObject.GDI32(?,00000000), ref: 00C89603
DeleteObject.GDI32 ref: 00C89616
StrokePath.GDI32(?), ref: 00C89631

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 974a94a5e11dad40f0b848f22ef989b7bc0c877edfc9fe9d4691ec4bfe791086
Instruction ID: 3f8b679efd87b46d02e1914e56e031f25687cc216633377f48f06975881707ce
Opcode Fuzzy Hash: 974a94a5e11dad40f0b848f22ef989b7bc0c877edfc9fe9d4691ec4bfe791086
Instruction Fuzzy Hash: CBF01938006304EBDB126F65ED187A43B61EB02326F089314F439D52F0D7308A91DF35

Function 00CA0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 00CA10F9
__freea.LIBCMT ref: 00CA1117

Part of subcall function 00CA1537: _free.LIBCMT ref: 00CA154F

Strings

a/p, xrefs: 00CA11DE
am/pm, xrefs: 00CA117A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 0db762c377d7a6370b84eedbf4f55ed61ab8d84e2452abda0db2d843d43a73d2
Instruction ID: bd2924609d32ef17956e3cd05dfaa846efced4479296d9f56952b83cb29695c0
Opcode Fuzzy Hash: 0db762c377d7a6370b84eedbf4f55ed61ab8d84e2452abda0db2d843d43a73d2
Instruction Fuzzy Hash: E2D1E2319012479ACF249FA8C855BFEB7B1EF07318F2C0159EE21AB660D3359E80CB91

Function 00CF7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C90242: EnterCriticalSection.KERNEL32(00D4070C,00D41884,?,?,00C8198B,00D42518,?,?,?,00C712F9,00000000), ref: 00C9024D
Part of subcall function 00C90242: LeaveCriticalSection.KERNEL32(00D4070C,?,00C8198B,00D42518,?,?,?,00C712F9,00000000), ref: 00C9028A

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00C900A3: __onexit.LIBCMT ref: 00C900A9

__Init_thread_footer.LIBCMT ref: 00CF7BFB

Part of subcall function 00C901F8: EnterCriticalSection.KERNEL32(00D4070C,?,?,00C88747,00D42514), ref: 00C90202
Part of subcall function 00C901F8: LeaveCriticalSection.KERNEL32(00D4070C,?,00C88747,00D42514), ref: 00C90235

Strings

G, xrefs: 00CF7C7F
5, xrefs: 00CF7C78
Variable must be of type 'Object'., xrefs: 00CF7C3A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 409e4badb4f258e4e47fb9b7324b5b7218344375730f6d15031c57859bab7adf
Instruction ID: c0d1501317435d4de6da3225c478e9c63773450edad931088997dd322f54c581
Opcode Fuzzy Hash: 409e4badb4f258e4e47fb9b7324b5b7218344375730f6d15031c57859bab7adf
Instruction Fuzzy Hash: 78919C70A04209EFCB04EF58D885DBDB7B1FF49300F508259FA169B292DB31AE45DB62

Function 00CD2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CDB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CD21D0,?,?,00000034,00000800,?,00000034), ref: 00CDB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CD2760

Part of subcall function 00CDB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CD21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00CDB3F8

Part of subcall function 00CDB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00CDB355
Part of subcall function 00CDB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CD2194,00000034,?,?,00001004,00000000,00000000), ref: 00CDB365
Part of subcall function 00CDB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CD2194,00000034,?,?,00001004,00000000,00000000), ref: 00CDB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CD27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CD281A

Strings

@, xrefs: 00CD2832

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4a58f20b59e55f11c561e2415c9e72f98d7a6910143ce599a0e62fa7d5b82ab0
Instruction ID: ae23e633fc40d74e4885aee57666f53e709e13292912b5cb9a5e4d2ad5bceacb
Opcode Fuzzy Hash: 4a58f20b59e55f11c561e2415c9e72f98d7a6910143ce599a0e62fa7d5b82ab0
Instruction Fuzzy Hash: 42413C72900218AFDB20DBA4CD81AEEBBB8EF09300F004056FA55B7291DB716E45DBA0

Function 00CA172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00CA1769
_free.LIBCMT ref: 00CA1834
_free.LIBCMT ref: 00CA183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00CA1760, 00CA1767, 00CA1796, 00CA17CE

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 70677dee41a5bc7ec2cb0cb207d9ad817369d29a2ac5e7ca5184da12729d6d47
Instruction ID: 3bd0707889148a214c34838c144728ab2e70e757fbdd136617a13c3ef08a17fb
Opcode Fuzzy Hash: 70677dee41a5bc7ec2cb0cb207d9ad817369d29a2ac5e7ca5184da12729d6d47
Instruction Fuzzy Hash: C531B075A00319EFCB21DF99D885D9EBBFCEB86314F184166F814D7251D6B08E80DBA0

Function 00CDC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CDC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00CDC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D41990,013A5538), ref: 00CDC395

Strings

0, xrefs: 00CDC2DF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 908a94b3f27ed7839b3d8303ed625d388d4e7396d920565a60e59676ad250fb1
Instruction ID: 48f17edd81caabb1161c7e7b09a3c3b7965343b7e59ca921ae23ab859ce4e6af
Opcode Fuzzy Hash: 908a94b3f27ed7839b3d8303ed625d388d4e7396d920565a60e59676ad250fb1
Instruction Fuzzy Hash: 7E4191312043429FDB24DF29D8C4B9ABBE4AF85310F14861EFAA5973E1D770E904DB62

Function 00D04416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D0CC08,00000000,?,?,?,?), ref: 00D044AA
GetWindowLongW.USER32 ref: 00D044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D044D7

Strings

SysTreeView32, xrefs: 00D0447C

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 56d6ab7911983d0fd7084f7b439065120924a5e0496a03dcbf7190fe539d8928
Instruction ID: aaa802e0449761810a8e8d1f33026378f91c5b1b6206980213cf03b69a3e0022
Opcode Fuzzy Hash: 56d6ab7911983d0fd7084f7b439065120924a5e0496a03dcbf7190fe539d8928
Instruction Fuzzy Hash: 28317C71210605AFDB209F38DC45FEA77A9EB08334F244715FA79922E0D7B0EC509760

Function 00CF304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CF3077,?,?), ref: 00CF3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CF307A
_wcslen.LIBCMT ref: 00CF309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00CF3106

Strings

255.255.255.255, xrefs: 00CF3095, 00CF309A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: edfe5a3263039ce3412d624d8eb7d32189d1dc33156104a70cdac6748426ebc1
Instruction ID: 4a82848f4a9ffe43b8fb4665ce4343b5b408687a33229efbf3627acbc02d98f0
Opcode Fuzzy Hash: edfe5a3263039ce3412d624d8eb7d32189d1dc33156104a70cdac6748426ebc1
Instruction Fuzzy Hash: 9131E435200289AFCB50CF28C485EBA77E0EF54318F24C059EA258B392DB32DF45C762

Function 00D03EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D03F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D03F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D03F78

Strings

SysMonthCal32, xrefs: 00D03F0B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fabac3800ac017b292be0fe7365ab8aec6b228fe3dc77d409d76ebd6c04e712d
Instruction ID: 9736d20e75908ec801baaad4a1eae69779c4bf915a4f3d9e92edf086de552c5b
Opcode Fuzzy Hash: fabac3800ac017b292be0fe7365ab8aec6b228fe3dc77d409d76ebd6c04e712d
Instruction Fuzzy Hash: 9B21BC3261021ABFDF218F50CC46FEA3B79EF48714F150214FA59AB1D0DAB1A890DBA0

Function 00D04653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D04705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D04713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D0471A

Strings

msctls_updown32, xrefs: 00D04684

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4ddd701afc8871e20209230a0d4045045bb04aaa7f1ba7f9988b7a845415fe99
Instruction ID: d35ab1642c0974b95fb02f569370130e8233551abe78ab752aeea579091edadd
Opcode Fuzzy Hash: 4ddd701afc8871e20209230a0d4045045bb04aaa7f1ba7f9988b7a845415fe99
Instruction Fuzzy Hash: F0214FF5600208AFDB10DF68DC91EA637ADEB9A364B040459F604973A1DB71EC51DA70

Function 00CD95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CD961D

Strings

#requireadmin, xrefs: 00CD95D9
#OnAutoItStartRegister, xrefs: 00CD95F3
#notrayicon, xrefs: 00CD95B7

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: e95ca1f7388d4d5bdd9dfd9e5a34723c5b7bc73e8a0574a6421981e93ee05958
Instruction ID: 6017a9b88c34e345b9580d98776149f51db6b57993dbb6cbea1e31755f6dd6f9
Opcode Fuzzy Hash: e95ca1f7388d4d5bdd9dfd9e5a34723c5b7bc73e8a0574a6421981e93ee05958
Instruction Fuzzy Hash: 4121463A204110A6C731BB259802FAB7398DF51300F104027FA5997281FB70EE96D3A5

Function 00D037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D03840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D03850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D03876

Strings

Listbox, xrefs: 00D0380F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 25795d9020a1b0485a1699fa5f53dffcd94fa673ea5d40ca1815a665152ed46c
Instruction ID: 0f7b2afc39819564200863d2c5d4cae70da02ec7cfd379805e21f415447729e8
Opcode Fuzzy Hash: 25795d9020a1b0485a1699fa5f53dffcd94fa673ea5d40ca1815a665152ed46c
Instruction Fuzzy Hash: 35218E72610218BBEB218F54CC85FAB376EEF89750F148124F9489B1D0CA71DC5287B0

Function 00CE49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CE4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CE4A5C
SetErrorMode.KERNEL32(00000000,?,?,00D0CC08), ref: 00CE4AD0

Strings

%lu, xrefs: 00CE4A6F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 28cbd2456e9ea87e3452b18b897c1fd7aae162ed24402ffb3e7cf2436c1697f8
Instruction ID: ee82007449c78d1702a71b51212510a915990ed981eb6286e316a1e8f1e91137
Opcode Fuzzy Hash: 28cbd2456e9ea87e3452b18b897c1fd7aae162ed24402ffb3e7cf2436c1697f8
Instruction Fuzzy Hash: A0315175A00209AFDB10DF64C885EAA7BF8EF08318F1480A9F909DB352D771EE45DB61

Function 00D041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D0424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D04264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D04271

Strings

msctls_trackbar32, xrefs: 00D04226

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b267dd29dc7e6151f2857e8be80ee643a957ab9c95168c6eb3b1fdd79dd6ebfd
Instruction ID: cf4fe108a962febc7a03e8b3f8297378f0af4ebe12fe19753601a14af215d07b
Opcode Fuzzy Hash: b267dd29dc7e6151f2857e8be80ee643a957ab9c95168c6eb3b1fdd79dd6ebfd
Instruction Fuzzy Hash: CA11C171240208BEEF205E39CC06FAB3BACEF85B54F010114FA59E20E0D671D8619B24

Function 00CD2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C76B57: _wcslen.LIBCMT ref: 00C76B6A

Part of subcall function 00CD2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CD2DC5
Part of subcall function 00CD2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD2DD6
Part of subcall function 00CD2DA7: GetCurrentThreadId.KERNEL32 ref: 00CD2DDD
Part of subcall function 00CD2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CD2DE4

GetFocus.USER32 ref: 00CD2F78

Part of subcall function 00CD2DEE: GetParent.USER32(00000000), ref: 00CD2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00CD2FC3
EnumChildWindows.USER32(?,00CD303B), ref: 00CD2FEB

Strings

%s%d, xrefs: 00CD2FFF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: c131a54b6ab7c833086a2a9fba47540cf13492a3c14ce2d38bab55a374dccc95
Instruction ID: f482a97c930f7785f54bc16afd3ecfa357f669322b7f7ccaaa0cf62538302305
Opcode Fuzzy Hash: c131a54b6ab7c833086a2a9fba47540cf13492a3c14ce2d38bab55a374dccc95
Instruction Fuzzy Hash: 4711A2756002056BCF547F608CC5EEE376AAF94304F049076BA099B392DE719A49EB71

Function 00D05882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D058EE
DrawMenuBar.USER32(?), ref: 00D058FD

Strings

0, xrefs: 00D0588F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 018db77e2764128b40fa35157f58238c91fc88fc3f82812b5079fc2fe899e390
Instruction ID: 41e632baf24d36e5faf0e0e82c1a5b2d408643d19c1e6b732a392d7abb4e19bc
Opcode Fuzzy Hash: 018db77e2764128b40fa35157f58238c91fc88fc3f82812b5079fc2fe899e390
Instruction Fuzzy Hash: FF016935500218EFDB219F11EC48BAFBBB4FB45361F1481A9E88DD6291DB708A95EF31

Function 00CD007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1ae55c27c098257a45abcc13957ebf8857e349a240c9ec94951a01aff47a79
Instruction ID: 8872afb10964d0a1518d1bf0a426e3110457d8065ac41be78822c7a1aa1b40ea
Opcode Fuzzy Hash: db1ae55c27c098257a45abcc13957ebf8857e349a240c9ec94951a01aff47a79
Instruction Fuzzy Hash: 71C12A75A00206AFDB14CF98C898BAEB7B5FF48704F208599E615EB351D731EE81CB90

Function 00CA3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CA3F0B
__alldvrm.LIBCMT ref: 00CA410C
__alldvrm.LIBCMT ref: 00CA412E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 7bacba3f74dcff74ce42bdf7d96e8a316aee7663d4603857eaf6b11ccde1f1c8
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: A1A17A71D103879FDB19CF68C8917AEBBE4EFA3358F1841ADE6959B241C2B48E81C750

Function 00CF342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CF3459
CoUninitialize.OLE32 ref: 00CF3463
VariantInit.OLEAUT32(?), ref: 00CF346E
VariantClear.OLEAUT32(?), ref: 00CF371B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 615eedae815670933b738bc48b37a1f80667595fd25d9c6039ec1369d73c3980
Instruction ID: 40b041536b0ddcd1287843aaf7c1ae6343a69fe0748b16a4463ea7edee387f26
Opcode Fuzzy Hash: 615eedae815670933b738bc48b37a1f80667595fd25d9c6039ec1369d73c3980
Instruction Fuzzy Hash: 02A14C75204304AFC740EF28C585A2AB7E5FF88714F14895DF99A9B362DB30EE01DB52

Function 00CD0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D0FC08,?), ref: 00CD05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D0FC08,?), ref: 00CD0608
CLSIDFromProgID.OLE32(?,?,00000000,00D0CC40,000000FF,?,00000000,00000800,00000000,?,00D0FC08,?), ref: 00CD062D
_memcmp.LIBVCRUNTIME ref: 00CD064E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1a5b79ee406ef592f110686e46b154544fc70bb57fc12d4b95a850cf51cd7495
Instruction ID: d30839b2b4f8ba0b5695068b8c3e4177a1bd923609988a5d11b05d6f9c85ad8d
Opcode Fuzzy Hash: 1a5b79ee406ef592f110686e46b154544fc70bb57fc12d4b95a850cf51cd7495
Instruction Fuzzy Hash: 3F810D71A00109EFCB04DF98C984EEEB7B9FF89315F204559F616AB250DB71AE46CB60

Function 00CFA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CFA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00CFA6BA

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Process32NextW.KERNEL32(00000000,?), ref: 00CFA79C
CloseHandle.KERNEL32(00000000), ref: 00CFA7AB

Part of subcall function 00C8CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00CB3303,?), ref: 00C8CE8A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 25ffb821a214bb60f4dee3ccbb52cb8821cab1f29792b953dbb86f499af48a78
Instruction ID: 24481a62cae8a28f8aec0d83841ae388c20a104a37e52fce8ae8ebdce4567ce5
Opcode Fuzzy Hash: 25ffb821a214bb60f4dee3ccbb52cb8821cab1f29792b953dbb86f499af48a78
Instruction Fuzzy Hash: FF513E71508300AFD750EF25C886E6BBBE8FF89754F00891DF59997292EB70D904DB92

Function 00CB1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CB14C0

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b94963baddbd8f21b865a261c87e9b8ee061a6b9023e18885b42af4860e74ddc
Instruction ID: 2fee4dee8733c596f636e38bfa22e8b4cbcdbc819937bfcc19385ca16349cc3f
Opcode Fuzzy Hash: b94963baddbd8f21b865a261c87e9b8ee061a6b9023e18885b42af4860e74ddc
Instruction Fuzzy Hash: 6A415D31A00511ABDF216BFD8C567FE3AA4EF46370F6C4225FC29D7192E6348A416A72

Function 00D06278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D062E2
ScreenToClient.USER32(?,?), ref: 00D06315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D06382

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 192f69aa7a7ec01a2b475fe65a80b0bd45f94288ff068eb63529be4f7f408a5b
Instruction ID: 0f7f2c8ff6fd76928f3921708c7aac27039fe2b6c5f30e2a1e02ad4acdcb4650
Opcode Fuzzy Hash: 192f69aa7a7ec01a2b475fe65a80b0bd45f94288ff068eb63529be4f7f408a5b
Instruction Fuzzy Hash: 1A510C74900209EFDB20DF64D881AAE7BB5EB45360F188259F819DB2E0D730ED91CBA0

Function 00CF1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CF1AFD
WSAGetLastError.WSOCK32 ref: 00CF1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CF1B8A
WSAGetLastError.WSOCK32 ref: 00CF1B94

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 885cdbdb2e7c7f4a9b62334da0af691953cad9dcd3a52ca1e3269a864443d0d0
Instruction ID: c996dc77f90f8a44e9ef8b227b9ea38e778aac6179c712f056948715358b4a28
Opcode Fuzzy Hash: 885cdbdb2e7c7f4a9b62334da0af691953cad9dcd3a52ca1e3269a864443d0d0
Instruction Fuzzy Hash: E941C174640200AFE760AF24C886F3977E5AB44718F58C548FA1A9F3D3D772DD419B91

Function 00CAB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8557612153d7ff584e208325909319c38fc85ad58eebebefb060638bbc9594f4
Instruction ID: fff8eafc38a94f5b206f7aa0277a7d340f83906a5f6deda7263e25e1f57d8d13
Opcode Fuzzy Hash: 8557612153d7ff584e208325909319c38fc85ad58eebebefb060638bbc9594f4
Instruction Fuzzy Hash: 3B412671A00705BFD7249F78CC45BAABBE9EB8A714F10452EF511DB283D771AE019790

Function 00CE56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CE5783
GetLastError.KERNEL32(?,00000000), ref: 00CE57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CE57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CE57FA

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 68cbaccdc6301d0db5cb412214f0287a1643dc7d462119f24a642beac72c63aa
Instruction ID: 6e5985eb63daba56e5807df8eb9e5dd36e0d9758489edcbdf2873c0d77f5c46c
Opcode Fuzzy Hash: 68cbaccdc6301d0db5cb412214f0287a1643dc7d462119f24a642beac72c63aa
Instruction Fuzzy Hash: F5414C39600611DFCB11EF15C584A1EBBE2EF89724B18C488E85EAB362CB30FD00DB91

Function 00CAD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C96D71,00000000,00000000,00C982D9,?,00C982D9,?,00000001,00C96D71,8BE85006,00000001,00C982D9,00C982D9), ref: 00CAD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CAD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CAD9AB
__freea.LIBCMT ref: 00CAD9B4

Part of subcall function 00CA3820: RtlAllocateHeap.NTDLL(00000000,?,00D41444,?,00C8FDF5,?,?,00C7A976,00000010,00D41440,00C713FC,?,00C713C6,?,00C71129), ref: 00CA3852

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bf49248a9cfa2d0c88b1b8f4041a34c9552dec116d030c6aa5e39d92bb479176
Instruction ID: ed021dbde141f259550330363c4e038a8f20450286d9f2bbc4d31361615d7c5c
Opcode Fuzzy Hash: bf49248a9cfa2d0c88b1b8f4041a34c9552dec116d030c6aa5e39d92bb479176
Instruction Fuzzy Hash: 3831D272A1020AABDF249F75DC45EAF7BA9EB41314F050168FC16D7250EB35CE54DBA0

Function 00D052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D05352
GetWindowLongW.USER32(?,000000F0), ref: 00D05375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D05382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D053A8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 387eca4f55a6036800e59ec10b5df311e761c6983ff736c2563393c4875cad1d
Instruction ID: 87a01e2a35f1cadc4840169f2c10377ceb60cc667bee438984b189bd3ef8ec09
Opcode Fuzzy Hash: 387eca4f55a6036800e59ec10b5df311e761c6983ff736c2563393c4875cad1d
Instruction Fuzzy Hash: CF31E234A55A08EFEB309F14EC06BEA7765EB05390F9C4101FE59962E4C7B1A980DF72

Function 00CDAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00CDABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00CDAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00CDAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00CDACC6

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3886daf6d6c280b7e29f19f414516fa1d448e62b2155f4c99c254b4eb9de70a5
Instruction ID: 5b795db24d225a07bad75e567e0e669ead12539adb913e5fb4ebb0272300bbe3
Opcode Fuzzy Hash: 3886daf6d6c280b7e29f19f414516fa1d448e62b2155f4c99c254b4eb9de70a5
Instruction Fuzzy Hash: 81310930A607186FEF35CB658C047FE7BA5ABC5330F04431BE695923E1C3768A859762

Function 00D07674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D0769A
GetWindowRect.USER32(?,?), ref: 00D07710
PtInRect.USER32(?,?,00D08B89), ref: 00D07720
MessageBeep.USER32(00000000), ref: 00D0778C

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: bcc1be4c8818f805656e2062a76bae20d805ed989c2499c06523883c0b490379
Instruction ID: 82bc92a8905b61c1ab7c35749b894fe53ca87fa3804b82b9d5a6088dba322da9
Opcode Fuzzy Hash: bcc1be4c8818f805656e2062a76bae20d805ed989c2499c06523883c0b490379
Instruction Fuzzy Hash: ED415B38A052149FCB11CF58C894BA977F5FB89354F1941A9E429DF3A1C771B982CFA0

Function 00D016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D016EB

Part of subcall function 00CD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD3A57
Part of subcall function 00CD3A3D: GetCurrentThreadId.KERNEL32 ref: 00CD3A5E
Part of subcall function 00CD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CD25B3), ref: 00CD3A65

GetCaretPos.USER32(?), ref: 00D016FF
ClientToScreen.USER32(00000000,?), ref: 00D0174C
GetForegroundWindow.USER32 ref: 00D01752

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ce668601ef2a72f0d5e085cdf54479ef56af8a94e4dd50dd9be15c7b09f64afc
Instruction ID: 374eb86933910cd6739167efda7b90ebc2ed485a78816f4677693b6d46064daa
Opcode Fuzzy Hash: ce668601ef2a72f0d5e085cdf54479ef56af8a94e4dd50dd9be15c7b09f64afc
Instruction Fuzzy Hash: 2B313075D00249AFC700DFA9C881DAEB7F9FF88304B54806AE419E7251D7319E45DBA0

Function 00CDDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C77620: _wcslen.LIBCMT ref: 00C77625

_wcslen.LIBCMT ref: 00CDDFCB
_wcslen.LIBCMT ref: 00CDDFE2
_wcslen.LIBCMT ref: 00CDE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00CDE018

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: f3b66565d4be48f8fa5863dec991bfd62556b2fc01b78334ccf00c3253dbaff5
Instruction ID: 1c6ed29d650a195d0790947b15febb27569214e9c784e376fc01dabde9a874b4
Opcode Fuzzy Hash: f3b66565d4be48f8fa5863dec991bfd62556b2fc01b78334ccf00c3253dbaff5
Instruction Fuzzy Hash: D221D171D00214AFCB20EFA8D881BAEB7F8EF45710F144069E905BB381D670AE41DBA1

Function 00D08FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

GetCursorPos.USER32(?), ref: 00D09001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CC7711,?,?,?,?,?), ref: 00D09016
GetCursorPos.USER32(?), ref: 00D0905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CC7711,?,?,?), ref: 00D09094

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 89aa0014a6e8e29adb32bb50688ab296962609f542225a1b836c964b014b0752
Instruction ID: 4a93adf4c0a8855064b66cacc6351f0752751c50f3030586d6767bbf9ae051e5
Opcode Fuzzy Hash: 89aa0014a6e8e29adb32bb50688ab296962609f542225a1b836c964b014b0752
Instruction Fuzzy Hash: 08217F39600118EFDB258F94CC68FFBBBB9EB4A350F184165F949872A2C7319990DB70

Function 00CDD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D0CB68), ref: 00CDD2FB
GetLastError.KERNEL32 ref: 00CDD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CDD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D0CB68), ref: 00CDD376

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d72af7322956d21dfde46b95332e6ab17ffc82363e5cef9b2ca8a07e9c3c979c
Instruction ID: bde9ea470f64bdcbe87a216986e2a9c3f34fbe2436969af6dd00b93e9c22876b
Opcode Fuzzy Hash: d72af7322956d21dfde46b95332e6ab17ffc82363e5cef9b2ca8a07e9c3c979c
Instruction Fuzzy Hash: B0216D709193019FC710DF28C88196AB7E4EE56364F504A1EF5AAC73E1D731DA49CB93

Function 00CD1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CD102A
Part of subcall function 00CD1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1036
Part of subcall function 00CD1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1045
Part of subcall function 00CD1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD104C
Part of subcall function 00CD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00CD15BE
_memcmp.LIBVCRUNTIME ref: 00CD15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD1617
HeapFree.KERNEL32(00000000), ref: 00CD161E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6a1153ebaeb4324e295a8c3ff1ceaf87acbdda19cd861284fffebdbd05f5cb48
Instruction ID: a0cfdaad3cb6bf4218408638a5a98d6b68263c649c594827bf3cdd0e86768c86
Opcode Fuzzy Hash: 6a1153ebaeb4324e295a8c3ff1ceaf87acbdda19cd861284fffebdbd05f5cb48
Instruction Fuzzy Hash: 03218631E00208BFDB00DFA4C949BEEB7B8EF40354F08445AE915AB341E730AA46CBA0

Function 00D02782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D0280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D02824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D02832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D02840

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b99be54e8e51c4eb9773868fdfe3312d012fe226a832a00917df91113a09557a
Instruction ID: 573b079a57f9da57c7d01236c465db1c972ba5835e5cd76d5a1d286df78b34ea
Opcode Fuzzy Hash: b99be54e8e51c4eb9773868fdfe3312d012fe226a832a00917df91113a09557a
Instruction Fuzzy Hash: 74219235605511AFD7149B24CC49F7A77A5AF85324F148258F41ACB6E2CB75EC42C7A0

Function 00CD78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00CD790A,?,000000FF,?,00CD8754,00000000,?,0000001C,?,?), ref: 00CD8D8C
Part of subcall function 00CD8D7D: lstrcpyW.KERNEL32(00000000,?,?,00CD790A,?,000000FF,?,00CD8754,00000000,?,0000001C,?,?,00000000), ref: 00CD8DB2
Part of subcall function 00CD8D7D: lstrcmpiW.KERNEL32(00000000,?,00CD790A,?,000000FF,?,00CD8754,00000000,?,0000001C,?,?), ref: 00CD8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00CD8754,00000000,?,0000001C,?,?,00000000), ref: 00CD7923
lstrcpyW.KERNEL32(00000000,?,?,00CD8754,00000000,?,0000001C,?,?,00000000), ref: 00CD7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00CD8754,00000000,?,0000001C,?,?,00000000), ref: 00CD7984

Strings

cdecl, xrefs: 00CD797B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b3e75f39078ea043de2ae7a1c1f38a2b5d26ae1abf8fa303b09a0297830a483d
Instruction ID: f33d0bf84f0250a858ae64b71cb0a74d5cbe197ffc03492e226597ab3367e662
Opcode Fuzzy Hash: b3e75f39078ea043de2ae7a1c1f38a2b5d26ae1abf8fa303b09a0297830a483d
Instruction Fuzzy Hash: FD11E13A200302ABCB15AF34D855E7A77A9FF85350B00412BEA06C73A4FB319911D7A1

Function 00D07CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D07D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D07D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D07D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CEB7AD,00000000), ref: 00D07D6B

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 917cd1eff047de562c763b4cf579607b871bbb761a8d6735bc54edd6f15063c5
Instruction ID: 1b69d6bec50d144d6712d1cb810fe0e454b5eee6282ef5e1b44ba0e47b5e87a4
Opcode Fuzzy Hash: 917cd1eff047de562c763b4cf579607b871bbb761a8d6735bc54edd6f15063c5
Instruction Fuzzy Hash: D8119035A15615AFDB109F28CC04BAA3BA5AF46360B194724F83DCB2F0E731E951DB70

Function 00D05660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00D056BB
_wcslen.LIBCMT ref: 00D056CD
_wcslen.LIBCMT ref: 00D056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D05816

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7d6aea00a7507a9fa4c8dfe370dd219fccc34c5e84e8ff069c0bb1a7becfc9a6
Instruction ID: cdf4e6f1aa65107d97475028672bbf9c85591ecc594165c749ce0b5132942e4c
Opcode Fuzzy Hash: 7d6aea00a7507a9fa4c8dfe370dd219fccc34c5e84e8ff069c0bb1a7becfc9a6
Instruction Fuzzy Hash: 2111CA35A00608A6DF209B61EC85BEF37ACEB01360B544026FD09D60C9EAB0CA808F70

Function 00CA1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663e76bb6b818622c32faa09fc95131a3b917d1eee33a154cbfbb262b478469c
Instruction ID: 26f5608c1e58b751c25611ad8590bb73071b34bb1f9e256be40144d956b7919a
Opcode Fuzzy Hash: 663e76bb6b818622c32faa09fc95131a3b917d1eee33a154cbfbb262b478469c
Instruction Fuzzy Hash: 11012CB2A056177EE7121A786CC1F67661DDF437BCF381325B935A12D2DB608D005171

Function 00CD1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00CD1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD1A8A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4e3bf64dcf7f257d7fc6f4c51233d3dcad142f58daf22a634a591dc6c8e38c94
Instruction ID: f26a506f794ce027423542a4a75bcc188f6210b898b699b6553880f8911c58c2
Opcode Fuzzy Hash: 4e3bf64dcf7f257d7fc6f4c51233d3dcad142f58daf22a634a591dc6c8e38c94
Instruction Fuzzy Hash: 4711273A901219FFEB109BA5C985FADBB78EB08750F240092EA04B7290D7716E50EB94

Function 00CDE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CDE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00CDE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CDE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CDE24D

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: e9f36990733c9c29b27d262c825096c1c870c3547e4532732b9a042581e56713
Instruction ID: 8b9bde908bef7c7a299fd0d7d40bb7a189bd863d03c8ed5a7eef06bb4932e0f0
Opcode Fuzzy Hash: e9f36990733c9c29b27d262c825096c1c870c3547e4532732b9a042581e56713
Instruction Fuzzy Hash: BF11C87A914354BBC701AFA89C09B9F7FAC9B45310F14435AF925E7391D670DE0487B1

Function 00C9D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C9CFF9,00000000,00000004,00000000), ref: 00C9D218
GetLastError.KERNEL32 ref: 00C9D224
__dosmaperr.LIBCMT ref: 00C9D22B
ResumeThread.KERNEL32(00000000), ref: 00C9D249

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 53f9676ac844a02010d5061096140cdc6feaea3271f3744309178d43e5d2cffe
Instruction ID: ea8a2dcfcf7de4349e7625f72eb337220a8a4fc79194dc9d32d2c6a04a086b31
Opcode Fuzzy Hash: 53f9676ac844a02010d5061096140cdc6feaea3271f3744309178d43e5d2cffe
Instruction Fuzzy Hash: A101F576815604BBCF116BA5DC0DBAE7A69DF81731F200319F926E21D0CB70CE01D6B1

Function 00D09EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C89BB2

GetClientRect.USER32(?,?), ref: 00D09F31
GetCursorPos.USER32(?), ref: 00D09F3B
ScreenToClient.USER32(?,?), ref: 00D09F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00D09F7A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5a707abee5d427c94dfafad3cb500d696b4e9cb5f9c1ca463a82c6b4d0980886
Instruction ID: 4b21c6bf454c5420b1db013537e20c4a6a48e17e30d6debaafb1fa66f240f938
Opcode Fuzzy Hash: 5a707abee5d427c94dfafad3cb500d696b4e9cb5f9c1ca463a82c6b4d0980886
Instruction Fuzzy Hash: 6711483690021AABDB10EF68D899AEEBBB8FF45311F040555F915E3291D730BA81CBB1

Function 00C7600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C7604C
GetStockObject.GDI32(00000011), ref: 00C76060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7606A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 7010540b0b60c258b0d5c9f05acf97723a3a5a2ea695ea19bd3c6bd3c0727b69
Instruction ID: 03d781e805b9db6f87f77718d98ad04f790bd3733d9bb5d4a532cf1b0abf702f
Opcode Fuzzy Hash: 7010540b0b60c258b0d5c9f05acf97723a3a5a2ea695ea19bd3c6bd3c0727b69
Instruction Fuzzy Hash: 73115E72501A09BFEF124FA49C44AEABF69EF09364F044215FA1892150D7329D609FA4

Function 00C93B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C93B56

Part of subcall function 00C93AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C93AD2
Part of subcall function 00C93AA3: ___AdjustPointer.LIBCMT ref: 00C93AED

_UnwindNestedFrames.LIBCMT ref: 00C93B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C93B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C93BA4

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 22a8bf5587b5fc3f804d8141147922b97137c0bf3fb320f0732e2ccb570d5f55
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C901E932100189BBDF126E95CC4AEEB7B6AEF58754F044014FE5896121C732EA62EBA0

Function 00CA3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C713C6,00000000,00000000,?,00CA301A,00C713C6,00000000,00000000,00000000,?,00CA328B,00000006,FlsSetValue), ref: 00CA30A5
GetLastError.KERNEL32(?,00CA301A,00C713C6,00000000,00000000,00000000,?,00CA328B,00000006,FlsSetValue,00D12290,FlsSetValue,00000000,00000364,?,00CA2E46), ref: 00CA30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CA301A,00C713C6,00000000,00000000,00000000,?,00CA328B,00000006,FlsSetValue,00D12290,FlsSetValue,00000000), ref: 00CA30BF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c4c454b61bd398ba89c33995abe5cc54d91ec5fd071104534c47d0425b62f458
Instruction ID: 983eecebd62f7a326bb4c196c108625ff3305e20f5e048aa674092c5bac07116
Opcode Fuzzy Hash: c4c454b61bd398ba89c33995abe5cc54d91ec5fd071104534c47d0425b62f458
Instruction Fuzzy Hash: DD012B36311363ABCB314B799C54A577B98AF47BA5B204720F919E3280C731DA01C6F0

Function 00CD7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00CD747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00CD7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00CD74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00CD74CA

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 88956ab586f06c6a55d7a67a1a9e6f9dea8c5ec88a99fe547a5a18301921dea2
Instruction ID: 18d11a9394e14eacf00628ee1c80b10ffa5690dc41abf5e47a7025346fedbd5e
Opcode Fuzzy Hash: 88956ab586f06c6a55d7a67a1a9e6f9dea8c5ec88a99fe547a5a18301921dea2
Instruction Fuzzy Hash: 0611A1B12053149BE721CF14DD08B92BBFCEB00B00F10866AA61AD6291E770E944DF60

Function 00CDB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CDACD3,?,00008000), ref: 00CDB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CDACD3,?,00008000), ref: 00CDB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CDACD3,?,00008000), ref: 00CDB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CDACD3,?,00008000), ref: 00CDB126

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 60ffea60509d6bf34ffbd69f63499d3443ed65b858cde3dc5c750795ba04ba87
Instruction ID: 138ca75fa08f9c89c2879cb2930adbf84828a0b555d52cc8d38c7c7eaf5d1e69
Opcode Fuzzy Hash: 60ffea60509d6bf34ffbd69f63499d3443ed65b858cde3dc5c750795ba04ba87
Instruction Fuzzy Hash: A7113C71D01A18D7CF00AFA5D9596EEBB78FF09711F124186DA51B2341CB309A508BA5

Function 00D07E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D07E33
ScreenToClient.USER32(?,?), ref: 00D07E4B
ScreenToClient.USER32(?,?), ref: 00D07E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D07E8A

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e3a5830cd3fb75820123f672ff2b574aa66e3a3a1bf293ac2493f59817bef2fa
Instruction ID: 71525795b915714f2721bca2d3f50b3b8abfeadffbf6804b7101f1d0696f78eb
Opcode Fuzzy Hash: e3a5830cd3fb75820123f672ff2b574aa66e3a3a1bf293ac2493f59817bef2fa
Instruction Fuzzy Hash: C11163B9D0020AAFDB41CF98C884AEEBBF5FB08310F505156E915E2250D775AA55CF60

Function 00CD2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CD2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD2DD6
GetCurrentThreadId.KERNEL32 ref: 00CD2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CD2DE4

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 523d8fbdf523e767f3fe1799ef40d440baedb92bf9d2d876b7bda1e22318cec2
Instruction ID: 9ed4e486b8ec81c69b2bbecb0e6c8e3bea80b5d059d23cb5ea104a1c9084b82c
Opcode Fuzzy Hash: 523d8fbdf523e767f3fe1799ef40d440baedb92bf9d2d876b7bda1e22318cec2
Instruction Fuzzy Hash: EFE092712113247BD7301B739C0DFEB3E6DEF56BA1F40121AF209D12909AA1C940C6B0

Function 00D08863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C89693
Part of subcall function 00C89639: SelectObject.GDI32(?,00000000), ref: 00C896A2
Part of subcall function 00C89639: BeginPath.GDI32(?), ref: 00C896B9
Part of subcall function 00C89639: SelectObject.GDI32(?,00000000), ref: 00C896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D08887
LineTo.GDI32(?,?,?), ref: 00D08894
EndPath.GDI32(?), ref: 00D088A4
StrokePath.GDI32(?), ref: 00D088B2

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 896417bf583b5687e9a1ebaf31740b8a1f4411f8f3f3711818f7e684f3416dd3
Instruction ID: 46f7f364d15725dbc5e064b5deb3c606ee41303f46f897a8db96d320676759cf
Opcode Fuzzy Hash: 896417bf583b5687e9a1ebaf31740b8a1f4411f8f3f3711818f7e684f3416dd3
Instruction Fuzzy Hash: C6F03A3A041358FBEB126F94AC09FCA3E59AF06310F088100FA15A62E1C7755551DFF9

Function 00C898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C898CC
SetTextColor.GDI32(?,?), ref: 00C898D6
SetBkMode.GDI32(?,00000001), ref: 00C898E9
GetStockObject.GDI32(00000005), ref: 00C898F1

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6ae2d053b11050ec13f50cc3150bea1ccfb2454f2a801948338d8a841772d06a
Instruction ID: d4f9a84f5062e4b1b3754edf1aa1c2ee6ff99067c9c56a6156dc33640bcd7922
Opcode Fuzzy Hash: 6ae2d053b11050ec13f50cc3150bea1ccfb2454f2a801948338d8a841772d06a
Instruction Fuzzy Hash: 35E06D31254780AEDB215B74EC09BE83F20EB12336F048319FAFE981E1C37246509F21

Function 00CD162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00CD1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00CD11D9), ref: 00CD163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CD11D9), ref: 00CD1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00CD11D9), ref: 00CD164F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 6fe460c06f913ee0ed658ccb2f7223241c7d35c2b4e95fa04b93a9948a6add2e
Instruction ID: 02c3df7fa0bf75502cba3e312c644068678ad1368d81b74b267ad9d9bbe7b1dc
Opcode Fuzzy Hash: 6fe460c06f913ee0ed658ccb2f7223241c7d35c2b4e95fa04b93a9948a6add2e
Instruction Fuzzy Hash: 16E08C32612311EBE7301FB0AE0DB863B7CEF44792F188909F749C9180E6348541CB74

Function 00CCD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CCD858
GetDC.USER32(00000000), ref: 00CCD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CCD882
ReleaseDC.USER32(?), ref: 00CCD8A3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b1263b6ab88360c9dc42257a6a089c16ee7451a86fefb40a88cd90b122301fc7
Instruction ID: 2ac9231178e78440a4d7d30bfd80a8b7f39f682fb0fe57166968dfbb71589589
Opcode Fuzzy Hash: b1263b6ab88360c9dc42257a6a089c16ee7451a86fefb40a88cd90b122301fc7
Instruction Fuzzy Hash: 7BE01AB0810305DFCF51AFA1D808B6DBBB1FB08310F109119F84AE73A0CB398901AF60

Function 00CCD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CCD86C
GetDC.USER32(00000000), ref: 00CCD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CCD882
ReleaseDC.USER32(?), ref: 00CCD8A3

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e119053fd7ab8587d9bd46003e4e9a19f99290f8b2a95dd04b63cfa8ad3f5465
Instruction ID: 3cdccca7ad6af00470078d1e63e594dd8fa89301489bf970ccd5507526302d5e
Opcode Fuzzy Hash: e119053fd7ab8587d9bd46003e4e9a19f99290f8b2a95dd04b63cfa8ad3f5465
Instruction Fuzzy Hash: 9CE012B0C10300EFCF60AFA0D80876DBBB1BB08310F10A108F84AE73A0CB395901AF60

Function 00CE4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C77620: _wcslen.LIBCMT ref: 00C77625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00CE4ED4

Strings

LPT, xrefs: 00CE4DFB
*, xrefs: 00CE4E10

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 0a355e96cb4f880b954fb89c9169fbaca19292e45f1015acce0645f54b3bd11c
Instruction ID: 97108e09edb292fa54b4f14a5d41ffaf8570f24a3b56c979e568e06092f847e6
Opcode Fuzzy Hash: 0a355e96cb4f880b954fb89c9169fbaca19292e45f1015acce0645f54b3bd11c
Instruction Fuzzy Hash: E0916275A00244DFCB18DF99C484EAABBF1BF44704F198099E81A9F362D735EE85CB91

Function 00C9E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C9E30D

Strings

pow, xrefs: 00C9E2E5, 00C9E302

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d1cf9c8940d9d8c962608380bd8fd77d065abaa91825106a3e0602420136bafc
Instruction ID: 9aca16aa9f5e505c553cd48564f91bcf53ee5e8a9a23a02957e66da1fdf3c4c4
Opcode Fuzzy Hash: d1cf9c8940d9d8c962608380bd8fd77d065abaa91825106a3e0602420136bafc
Instruction Fuzzy Hash: 14513C61E0C203A6CF15B714CD453BA2BA4FF61744F348E68E0E5823B9EF358D929A46

Function 00C8E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C8E1B1

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 648fc819e5be82615fc6ed815d0225d2619cc211aba065a319d8bdfcdac5ca93
Instruction ID: db3e21d5c6c88a9903c1464c5122e6dc165db1353a47ba7ac2ba712d87abe5cb
Opcode Fuzzy Hash: 648fc819e5be82615fc6ed815d0225d2619cc211aba065a319d8bdfcdac5ca93
Instruction Fuzzy Hash: 1D511375500356DFDF15EF68C481FBA7BA8EF26314F248059E8A19B2D0D7349E42DBA0

Function 00C8F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C8F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C8F2BB

Strings

@, xrefs: 00C8F2AF

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d58e71dfbd4a9882166df81e54351e85fb002f6a6fb4f808cf04c9d67a012e78
Instruction ID: 78511bb1de06c669802f94347324fd28b4aa0850cde7c54adcaa816e4cc97708
Opcode Fuzzy Hash: d58e71dfbd4a9882166df81e54351e85fb002f6a6fb4f808cf04c9d67a012e78
Instruction Fuzzy Hash: 9D5145714087499BD320AF64DC86BAFBBF8FB95300F81895DF1D9811A5EB308529CB67

Function 00CF5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CF57E0
_wcslen.LIBCMT ref: 00CF57EC

Strings

CALLARGARRAY, xrefs: 00CF57E6, 00CF57EB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 93596dcad5d4e6e7eb40d606807202004340b4f7bb55383c4cd9fd78badaa688
Instruction ID: 4a3724692c92c8d1caf47f5a367af878188549fb7401300e0e861d98c3d1bb4f
Opcode Fuzzy Hash: 93596dcad5d4e6e7eb40d606807202004340b4f7bb55383c4cd9fd78badaa688
Instruction Fuzzy Hash: D341C131E402099FCB54EFA9C8819BEBBB5FF59364F104129E715A7391E7309E81CBA1

Function 00CED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CED13A

Strings

|, xrefs: 00CED10B

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 3c3464200032a5f07cbb9cbfc91129f115b2d23305e3283905b86af71ce7de45
Instruction ID: 6227797a790a6f291fd0aab99bd8d14390875df00f14fdd71d83d7ee59c54f03
Opcode Fuzzy Hash: 3c3464200032a5f07cbb9cbfc91129f115b2d23305e3283905b86af71ce7de45
Instruction Fuzzy Hash: 17315E71D00209ABCF15EFA5CC85EEEBFB9FF04310F004019F81AA6162E731AA06DB61

Function 00D0356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D03621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D0365C

Strings

static, xrefs: 00D035BC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 78d800d2071ac17acd8bb3205ccccabc913cafb646e13ef35be14a4c3f6f6606
Instruction ID: fb5e2528060d0dcd543973d457e0fca6fb68b2935d151391d634145644284553
Opcode Fuzzy Hash: 78d800d2071ac17acd8bb3205ccccabc913cafb646e13ef35be14a4c3f6f6606
Instruction Fuzzy Hash: E8318871110604AADB209F68DC80BFB73ADFF88724F509619F8A9D7290DA31AD919B70

Function 00D04537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00D0461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D04634

Strings

', xrefs: 00D0458E

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4a75d00c4176298b09c4aceedc7e9607276bced573c91c34a6cc315f44b764e7
Instruction ID: 51284e484f0f66effb0f3f64d51e7cfd75edfdcb65a14b868481ffbf81463836
Opcode Fuzzy Hash: 4a75d00c4176298b09c4aceedc7e9607276bced573c91c34a6cc315f44b764e7
Instruction Fuzzy Hash: 053108B4A013099FDB14CFA9C995FDA7BB5FF49300F144069EA09AB391E771A941CFA0

Function 00D031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D0327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D03287

Strings

Combobox, xrefs: 00D03249

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3c9ed579683f38c5c5ca4d9ee528fd89a87b9ce4780cce82b0b2fb3504fc3998
Instruction ID: 800431ee77a387e3720173a26e538ede79c3e15bdd93f0dc29fcc27cd41b7dca
Opcode Fuzzy Hash: 3c9ed579683f38c5c5ca4d9ee528fd89a87b9ce4780cce82b0b2fb3504fc3998
Instruction Fuzzy Hash: DE118E712002087FEF259E64DC81FAB376EEB94364F144129F918972D0D6719D519774

Function 00D03710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C7604C
Part of subcall function 00C7600E: GetStockObject.GDI32(00000011), ref: 00C76060
Part of subcall function 00C7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7606A

GetWindowRect.USER32(00000000,?), ref: 00D0377A
GetSysColor.USER32(00000012), ref: 00D03794

Strings

static, xrefs: 00D03757

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d287d58f933bf9c8f8e62ff5fb010173df5795218fd922f4d2fbbe878e0a0fbb
Instruction ID: 8dab4bdb3aa5f60dd11408ce1e8c2658c5f3925d25a27e5e42b8f9067fd05866
Opcode Fuzzy Hash: d287d58f933bf9c8f8e62ff5fb010173df5795218fd922f4d2fbbe878e0a0fbb
Instruction Fuzzy Hash: EA1129B2610209AFDB00DFA8CC45AEA7BB8EB48314F005A15F959E2290D775E8519B60

Function 00CECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CECDA6

Strings

<local>, xrefs: 00CECD66

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0af2564479b6be484686f59ca40c42035bc486cb8fd746dcdf280279fa354ed2
Instruction ID: d9b89a49f279f89808793c111242c6db909bfaba8264d591521305a0a085b650
Opcode Fuzzy Hash: 0af2564479b6be484686f59ca40c42035bc486cb8fd746dcdf280279fa354ed2
Instruction Fuzzy Hash: 3A11E071201671BAD7284B678C88FE7BEACEB127A4F00422AF11982180D2669A42D6F0

Function 00D03429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D034BA

Strings

edit, xrefs: 00D0348F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 832eba4b75bf503565fb9cede89bd3758c6cba36e1b3b7d7d8678c5d8a242218
Instruction ID: 0e0ed40ba7a0eaeeccc174561fbd710a24c8a76d17441f6adac2b0b4518cfea3
Opcode Fuzzy Hash: 832eba4b75bf503565fb9cede89bd3758c6cba36e1b3b7d7d8678c5d8a242218
Instruction Fuzzy Hash: 77116A71500208ABEB228F64DC84BEA376EEB05374F544724F9A99B2E0C771DC919B71

Function 00CD6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

CharUpperBuffW.USER32(?,?,?), ref: 00CD6CB6
_wcslen.LIBCMT ref: 00CD6CC2

Strings

STOP, xrefs: 00CD6CBC, 00CD6CC1

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 67dd00bd641c5499fbe0eb169fecc3ce3745a6076c6c486990ecbd3513f98092
Instruction ID: 0eeca4b85dff9f357872b3b9154aedf4c651514c8258411bd3fc490bb3a820a5
Opcode Fuzzy Hash: 67dd00bd641c5499fbe0eb169fecc3ce3745a6076c6c486990ecbd3513f98092
Instruction Fuzzy Hash: F701D6326245278BCB219FBDDC819BF77B5EFA1710B500526E96297395EB31DA00C750

Function 00CD1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CD1D4C

Strings

ListBox, xrefs: 00CD1D16
ComboBox, xrefs: 00CD1CEB

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 46a86ce4ddef1a83792167b42d1015a315ef2f9a27e220d805700a22d1e73ffe
Instruction ID: f2df4b0dba9c6864c94af7b0d2d1257d58d6438516df618dc92241ea78975833
Opcode Fuzzy Hash: 46a86ce4ddef1a83792167b42d1015a315ef2f9a27e220d805700a22d1e73ffe
Instruction Fuzzy Hash: 3301F131610218ABCB09EBA0CC51DFE73A9EB52390B08060AE936673C1EB3059089661

Function 00CD1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00CD1C46

Strings

ListBox, xrefs: 00CD1C10
ComboBox, xrefs: 00CD1BE5

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7af46fb375d973c681bf1aacfb1da22f24d0dc09f4f4531d7243db7424f3ce57
Instruction ID: dbffd24abf2db459f00658b4010e704281020f8d683e4f0368d9576b9cbaed97
Opcode Fuzzy Hash: 7af46fb375d973c681bf1aacfb1da22f24d0dc09f4f4531d7243db7424f3ce57
Instruction Fuzzy Hash: FE01A7757911047ADF14EB90DD52EFF77A8DB52380F14001AA91A673C2EA209F0C96B2

Function 00CD1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00CD1CC8

Strings

ListBox, xrefs: 00CD1C94
ComboBox, xrefs: 00CD1C69

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 558ddff42d92ada49bed7026088485a492753889d5eea1820f3981dcbbec8d71
Instruction ID: ce45feb7387d410c75e1d03555cfc91417fb588a4cdea8cf81a2c572e6c9b84b
Opcode Fuzzy Hash: 558ddff42d92ada49bed7026088485a492753889d5eea1820f3981dcbbec8d71
Instruction Fuzzy Hash: 1D01A2717A01187ACB14EBA5CA42EFE73A89B52380F180016BD1673381EA619F089672

Function 00CD1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C79CB3: _wcslen.LIBCMT ref: 00C79CBD

Part of subcall function 00CD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CD3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00CD1DD3

Strings

ListBox, xrefs: 00CD1DA0
ComboBox, xrefs: 00CD1D75

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2dff3183436362f1c0f0f4b79fc59c20ee87e7145f6610c018f7a0c234ed9d04
Instruction ID: a8b4cec3838f6bda46a42d7f22adfefe42efe78bfd14b65255ef52686ad2e27a
Opcode Fuzzy Hash: 2dff3183436362f1c0f0f4b79fc59c20ee87e7145f6610c018f7a0c234ed9d04
Instruction Fuzzy Hash: A5F0F471B602147ACB05E7A4CC92FFE73A8EB12390F080A16B926633C1DB705A089271

Function 00CF747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CF7493
_wcslen.LIBCMT ref: 00CF74B9

Strings

3, 3, 16, 1, xrefs: 00CF7483

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b3812cb6be1ae1b5d45035285e796ffc5a97847a5b0dc866f0a2fa2c17be4159
Instruction ID: 65ce8ae0497d32e7db8760666de903048fe8d155b794004fed2f9206cb7f47a9
Opcode Fuzzy Hash: b3812cb6be1ae1b5d45035285e796ffc5a97847a5b0dc866f0a2fa2c17be4159
Instruction Fuzzy Hash: 3FE02B0220422410927523799CC5D7F5A8DCFC9750710182BFA91C2266EA948E92A3A2

Function 00CD0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CD0B23

Strings

AutoIt, xrefs: 00CD0B17
Error allocating memory., xrefs: 00CD0B1C

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d5a21b2fe4c5bdcb18d8f67db45d41683ed894fb5ad7f1fd135ee7d8ff7a6433
Instruction ID: 3053a992c27a5ed4bfd130763dcddc12860aee6dc2b1fbf18deb8cc7156eea2c
Opcode Fuzzy Hash: d5a21b2fe4c5bdcb18d8f67db45d41683ed894fb5ad7f1fd135ee7d8ff7a6433
Instruction Fuzzy Hash: 96E0D8312443087AD21437547C07F897B848F05B55F20042BF75C956C38AD164901ABD

Function 00C90D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C8F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C90D71,?,?,?,00C7100A), ref: 00C8F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C7100A), ref: 00C90D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C7100A), ref: 00C90D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C90D7F

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: d8676f0c8e7f568a9b2d2688ee40a434e77674bef7eeff415d56b68b04252c56
Instruction ID: a19e9c4a7f024b8db7b1a2be5c35ef9db0c71be8515d803989d7fac2b9439462
Opcode Fuzzy Hash: d8676f0c8e7f568a9b2d2688ee40a434e77674bef7eeff415d56b68b04252c56
Instruction Fuzzy Hash: 68E06D742007118FE7309FB8D40C3427BE4BB00744F208A2DE89AC6B91DBB0E4848BA1

Function 00CE3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00CE302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CE3044

Strings

aut, xrefs: 00CE3038

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cf0357931f13dcc216d3a3bc1aeb8f5137df2746a625bbfcd9378c7b2f20eae6
Instruction ID: 6f9f616a2bca86e08e8eef8b8c787e828268cac7c2caf0a9c189b77847ee303a
Opcode Fuzzy Hash: cf0357931f13dcc216d3a3bc1aeb8f5137df2746a625bbfcd9378c7b2f20eae6
Instruction Fuzzy Hash: 7CD05E725003287BDA20A7A4AC0EFCB3A6CDB06750F0002A1B659E21D1DAB0D984CAE4

Function 00CCD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CCD220

Strings

%.3d, xrefs: 00CCD22B
X64, xrefs: 00CCD2A8

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 0652b552c908097a3f453e33d8ce561f1517eed14ac76dff0a28c0680f9a39ac
Instruction ID: 0974c49b2a59550d66fa415a4a013970b09ebd2991ce392f10df25f1acb53214
Opcode Fuzzy Hash: 0652b552c908097a3f453e33d8ce561f1517eed14ac76dff0a28c0680f9a39ac
Instruction Fuzzy Hash: F3D012A1C08108EACB50A7E1CC45EBAB3BCEB09301F50847AF80BD2040D634C9496B65

Function 00D02356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D0236C
PostMessageW.USER32(00000000), ref: 00D02373

Part of subcall function 00CDE97B: Sleep.KERNEL32 ref: 00CDE9F3

Strings

Shell_TrayWnd, xrefs: 00D02365

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dfa54f690b85a5a539e1cfefd3dbb07a5939eff1b542ba23c73ceebfc3968e10
Instruction ID: 80bf253b4c3455907083142ec79ead93e10b877c8fc41e2aaae2c84f0ac04668
Opcode Fuzzy Hash: dfa54f690b85a5a539e1cfefd3dbb07a5939eff1b542ba23c73ceebfc3968e10
Instruction Fuzzy Hash: C6D0C9763913107AE668B771AC0FFC666189B04B14F505A167749EA2E0C9E0A8058A64

Function 00D02322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D0232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D0233F

Part of subcall function 00CDE97B: Sleep.KERNEL32 ref: 00CDE9F3

Strings

Shell_TrayWnd, xrefs: 00D02325

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: eb3d16f9fc383db51a46fea8db45ed5dbb28c25257aa41a2d2bdd66462ba28ab
Instruction ID: 3973163d4ebb464bacde9e74db7afced686f3f673957dcc301a4f898c863ef01
Opcode Fuzzy Hash: eb3d16f9fc383db51a46fea8db45ed5dbb28c25257aa41a2d2bdd66462ba28ab
Instruction Fuzzy Hash: CED012763A5310BBE678B771EC1FFC67A189B00B14F505A167749EA2E0C9F0E805CA74

Function 00CABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00CABE93
GetLastError.KERNEL32 ref: 00CABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CABEFC

Memory Dump Source

Source File: 00000000.00000002.1724266580.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000000.00000002.1724238602.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724351224.0000000000D32000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724485872.0000000000D3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724521438.0000000000D44000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e34d2b809c4c134d6921cd993f81b9959574fec61115f82db0ee271e535d9133
Instruction ID: 51c5372ae34afb2c7ee1b8ccfc56c37c51c800daf52ab07de5b2e9ce7876075a
Opcode Fuzzy Hash: e34d2b809c4c134d6921cd993f81b9959574fec61115f82db0ee271e535d9133
Instruction Fuzzy Hash: B041E938605247AFCF21CFA5CC54BBA7BA5EF43314F184169F969971A2DB308E01DB61

Analysis Process: firefox.exePID: 7428, Parent PID: 7688COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001F6056CB577 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001F6056CB59C

Memory Dump Source

Source File: 00000010.00000002.2926624979.000001F6056C8000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F6056C8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1f6056c8000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 989b945b4a7aae9a9c5bba7ce78cf5e1ebf0cd5f56f6cb3317d20ac99e88f0dd
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 7FA3C331624A498BEB2DDF28DC856F977E5FB95300F14463EE94BC7251DF30EA428A81

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1923757272.0000021CE3F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1922133542.0000021CD930E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1907341842.0000021CE01BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752401054.0000021CE01C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895452092.0000021CE01BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1907341842.0000021CE01BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764708272.0000021CDFFA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752401054.0000021CE01C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1753328244.0000021CD99B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901944905.0000021CDA6EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923757272.0000021CE3F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1922133542.0000021CD930E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1907341842.0000021CE01BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752401054.0000021CE01C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895452092.0000021CE01BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1907341842.0000021CE01BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764708272.0000021CDFFA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752401054.0000021CE01C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921520697.000001F60510A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921520697.000001F60510A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1919514729.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928324641.0000021CDA1BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921520697.000001F60510A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1929572455.0000021CD9233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922793272.0000021CD923C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1753328244.0000021CD99B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922064463.0000021CD9329000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901944905.0000021CDA6EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1922133542.0000021CD930E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1922064463.0000021CD9329000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1753328244.0000021CD99B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917567712.0000021CDA6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901944905.0000021CDA6C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49807 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_5949e2ad-d4bf-4154-8303-ee11df99a20c.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_5949e2ad-d4bf-4154-8303-ee11df99a20c.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre