Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544114
MD5:	bd756b5e87774e23366cc2a0b637f7cd
SHA1:	a42737da1dca5e7ccee4a31da62baf6e461e2faa
SHA256:	591641077da235f85a97afdab465c12dc3d40b638dc3bfe2b7967ab6138e8a9c
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6800 cmdline: "C:\Users\user\Desktop\file.exe" MD5: BD756B5E87774E23366CC2A0B637F7CD)

taskkill.exe (PID: 6848 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7140 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 332 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7044 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4480 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6888 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5432 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6984 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3912 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20230927232528 -prefsHandle 2268 -prefMapHandle 2260 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc2ff3ef-cc57-48e7-a7a8-8dced6d726ef} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dafd6e310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7572 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {570f6398-fd13-4265-a0df-63c077bef302} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dc1106510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6224 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5224 -prefMapHandle 5212 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22cca10f-bded-465d-9862-a33ac2af1a53} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dcbafb110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6800	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00C8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C8EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C8ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00C8EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00C7AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CA9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1733398903.0000000000CD2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_454acacc-1
Source: file.exe, 00000000.00000000.1733398903.0000000000CD2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_20f62288-2
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_11ce46e4-5
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_45f986b2-e

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000019C122E3FB7 NtQuerySystemInformation,		17_2_0000019C122E3FB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000019C12886332 NtQuerySystemInformation,		17_2_0000019C12886332

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C7D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00C7D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C71201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C7E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1BF40	0_2_00C1BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C82046	0_2_00C82046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C18060	0_2_00C18060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C78298	0_2_00C78298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4E4FF	0_2_00C4E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4676B	0_2_00C4676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA4873	0_2_00CA4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1CAF0	0_2_00C1CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3CAA0	0_2_00C3CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2CC39	0_2_00C2CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C46DD9	0_2_00C46DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C191C0	0_2_00C191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2B119	0_2_00C2B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31394	0_2_00C31394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31706	0_2_00C31706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3781B	0_2_00C3781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C319B0	0_2_00C319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2997D	0_2_00C2997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C17920	0_2_00C17920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C37A4A	0_2_00C37A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C37CA7	0_2_00C37CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31C77	0_2_00C31C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C49EEE	0_2_00C49EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9BE44	0_2_00C9BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31F32	0_2_00C31F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000019C122E3FB7	17_2_0000019C122E3FB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000019C12886332	17_2_0000019C12886332
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000019C12886A5C	17_2_0000019C12886A5C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000019C12886372	17_2_0000019C12886372

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C30A30 appears 45 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C2F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@35/34@73/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C837B5 GetLastError,FormatMessageW,

0_2_00C837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C710BF AdjustTokenPrivileges,CloseHandle,		0_2_00C710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C7D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C7D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C8648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1596:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.1939176939.0000025DCBAF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1996330748.0000025DC87EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1963056142.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.1996330748.0000025DC87EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1963056142.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.1996330748.0000025DC87EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1963056142.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.1996330748.0000025DC87EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1963056142.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.1942946978.0000025DC7B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.1996330748.0000025DC87EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1963056142.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.1996330748.0000025DC87EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1963056142.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.1996330748.0000025DC87EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1963056142.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.1996330748.0000025DC87EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1963056142.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.1996330748.0000025DC87EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1963056142.0000025DC87E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20230927232528 -prefsHandle 2268 -prefMapHandle 2260 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc2ff3ef-cc57-48e7-a7a8-8dced6d726ef} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dafd6e310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {570f6398-fd13-4265-a0df-63c077bef302} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dc1106510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5224 -prefMapHandle 5212 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22cca10f-bded-465d-9862-a33ac2af1a53} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dcbafb110 utility
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20230927232528 -prefsHandle 2268 -prefMapHandle 2260 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc2ff3ef-cc57-48e7-a7a8-8dced6d726ef} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dafd6e310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {570f6398-fd13-4265-a0df-63c077bef302} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dc1106510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5224 -prefMapHandle 5212 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22cca10f-bded-465d-9862-a33ac2af1a53} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dcbafb110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: shlwapi.pdb0 source: firefox.exe, 0000000E.00000003.1994495812.0000025DC1FA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.1967011253.0000025DC7B17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbP4O source: firefox.exe, 0000000E.00000003.1967011253.0000025DC7B17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdbP4O source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.1989209225.0000025DBF6C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000E.00000003.1961316114.0000025DCBAE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1996002142.0000025DCBAE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000E.00000003.1987463391.0000025DC21BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993675749.0000025DC21C9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.1967601566.0000025DC31A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1984968071.0000025DC31A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1992373393.0000025DC31A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1989209225.0000025DBF6C7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1980282997.0000025DBF6BD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1978974522.0000025DBF6BC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdbUGP source: firefox.exe, 0000000E.00000003.1973457861.0000025DBF69E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1972339881.0000025DBF69E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb8 source: firefox.exe, 0000000E.00000003.1967011253.0000025DC7B17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000E.00000003.1962695271.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1983230044.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1989596586.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000E.00000003.1961316114.0000025DCBAE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1996002142.0000025DCBAE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.1980010534.0000025DC9807000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.1967011253.0000025DC7B17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000E.00000003.1994495812.0000025DC1FA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdbP4O source: firefox.exe, 0000000E.00000003.1968998736.0000025DC310A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000E.00000003.1987977173.0000025DC20AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998415244.0000025DC20AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.1969651196.0000025DC2FA8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.1964395077.0000025DC7F9F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb@ source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.1966236221.0000025DC7B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997325607.0000025DC7B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1983634736.0000025DC7B79000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdbp,P source: firefox.exe, 0000000E.00000003.1967011253.0000025DC7B17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1980282997.0000025DBF6BD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1978974522.0000025DBF6BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000E.00000003.1968998736.0000025DC310A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdbP4O source: firefox.exe, 0000000E.00000003.1987921099.0000025DC20F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993731800.0000025DC20F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000E.00000003.1994495812.0000025DC1FA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1982893208.0000025DC9959000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000E.00000003.1997094548.0000025DC7DE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1964759054.0000025DC7DC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1991375903.0000025DC7DDB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000E.00000003.1967011253.0000025DC7B17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb@ source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb@ source: firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.1964759054.0000025DC7DC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1991622042.0000025DC7DCC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.1987921099.0000025DC20F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1987977173.0000025DC20B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993731800.0000025DC20F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998415244.0000025DC20C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1982893208.0000025DC9959000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.1967601566.0000025DC31A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1968998736.0000025DC3121000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1984968071.0000025DC31A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1992373393.0000025DC31A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb@ source: firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000E.00000003.1987463391.0000025DC2177000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb@ source: firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb@ source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.1967011253.0000025DC7B17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.1980010534.0000025DC9807000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb0 source: firefox.exe, 0000000E.00000003.1964395077.0000025DC7F9F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.1964759054.0000025DC7DC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1991622042.0000025DC7DCC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000E.00000003.1994495812.0000025DC1FA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb@ source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb@ source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000E.00000003.1993793505.0000025DC2094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000E.00000003.1987921099.0000025DC20F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993731800.0000025DC20F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000E.00000003.1994495812.0000025DC1FE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1994495812.0000025DC1FA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdbwx source: firefox.exe, 0000000E.00000003.1966236221.0000025DC7B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997325607.0000025DC7B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1983634736.0000025DC7B79000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.1969651196.0000025DC2FA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1968998736.0000025DC310A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000E.00000003.1987921099.0000025DC20F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993731800.0000025DC20F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.1966236221.0000025DC7B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997325607.0000025DC7B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1983634736.0000025DC7B79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1965819457.0000025DC7BEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000E.00000003.1994495812.0000025DC1FE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000E.00000003.1973457861.0000025DBF69E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1972339881.0000025DBF69E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1993986613.0000025DC2035000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb@ source: firefox.exe, 0000000E.00000003.1993986613.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998724455.0000025DC2064000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C142DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C322CB push ds; ret		0_2_00C322E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C30A76 push ecx; ret		0_2_00C30A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C2F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CA1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95725

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000019C122E3FB7 rdtsc

17_2_0000019C122E3FB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C7DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C868EE FindFirstFileW,FindClose,	0_2_00C868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00C8698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C7D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C7D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C89642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00C89B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C85C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00C85C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C142DE

Source: firefox.exe, 00000010.00000002.2989693092.000001BA70C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: firefox.exe, 00000013.00000002.2980893713.0000015CEEF3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp:@
Source: firefox.exe, 00000010.00000002.2983187395.000001BA707DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2988822548.0000019C12760000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2981560778.0000019C11EDA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2988162861.0000015CEF400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.2988285112.000001BA70B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2989693092.000001BA70C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: firefox.exe, 00000010.00000002.2989693092.000001BA70C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWk
Source: firefox.exe, 00000011.00000002.2988822548.0000019C12760000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000019C122E3FB7 rdtsc

17_2_0000019C122E3FB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8EAA2 BlockInput,

0_2_00C8EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C42622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C34CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C34CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00C70B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C42622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C3083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C309D5 SetUnhandledExceptionFilter,	0_2_00C309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C30C21

Source: C:\Users\user\Desktop\file.exe

0_2_00C71201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C52BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C52BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C7B226 SendInput,keybd_event,

0_2_00C7B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00C922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00C70B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C71663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C71663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.1956938595.0000025DC9807000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C30698 cpuid

0_2_00C30698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C88195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00C88195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C6D27A GetUserNameW,

0_2_00C6D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C4BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C4BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C142DE

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C91204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00C91204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C91806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C91806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.142	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	216.58.206.46	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.65.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
206.23.85.13.in-addr.arpa	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000E.00000003.1846313703.0000025DC1891000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1838727903.0000025DC0C70000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000013.00000002.2983915248.0000015CEF3C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.1856155169.0000025DC1890000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	firefox.exe, 0000000E.00000003.1976283535.0000025DBF69E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1978074677.0000025DBF69E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.1971902972.0000025DBFD6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1980970118.0000025DC0A4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1980008803.0000025DC0A4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1933593692.0000025DBCDF4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 00000010.00000002.2984181239.000001BA70AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982591236.0000019C121EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2988501516.0000015CEF503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1924683768.0000025DC7C4E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000013.00000002.2983915248.0000015CEF38F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.1823399315.0000025DC81AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1944121193.0000025DC7B20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997731016.0000025DC7B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1967011253.0000025DC7B20000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1945004536.0000025DC31CA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.1847886889.0000025DC7F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1848412866.0000025DC196D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1845740007.0000025DC7F72000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1847103225.0000025DC0E3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1782440618.0000025DBFA7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1778474375.0000025DBFA20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1779802616.0000025DBFA3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1781889675.0000025DBFA5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1777980476.0000025DBF800000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.1847103225.0000025DC0E4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1846313703.0000025DC1819000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.1963056142.0000025DC87BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940793579.0000025DC87BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.1966236221.0000025DC7B59000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1967011253.0000025DC7B20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1781889675.0000025DBFA5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1777980476.0000025DBF800000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.1945004536.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1984968071.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1967601566.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997850062.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1782440618.0000025DBFA7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1778474375.0000025DBFA20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1779802616.0000025DBFA3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1781889675.0000025DBFA5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1777980476.0000025DBF800000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.1990464536.0000025DCA152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1998415244.0000025DC20C6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 00000010.00000002.2984181239.000001BA70AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982591236.0000019C121EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2988501516.0000015CEF503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1964759054.0000025DC7DC0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.1847886889.0000025DC7F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1845740007.0000025DC7F72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 00000010.00000002.2984181239.000001BA70AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982591236.0000019C121EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2988501516.0000015CEF503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.1934558219.0000025DBBB7D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.1856155169.0000025DC1853000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1989596586.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982591236.0000019C1210A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2983915248.0000015CEF30C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.1847827586.0000025DC155B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1843340560.0000025DC0CAD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.1823399315.0000025DC81AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1944121193.0000025DC7B20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997731016.0000025DC7B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1967011253.0000025DC7B20000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000013.00000002.2983915248.0000015CEF3C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1846886034.0000025DC13FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1838234694.0000025DC15F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1847827586.0000025DC155B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1842488400.0000025DC15F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1836893683.0000025DC15EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1846313703.0000025DC1891000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1838727903.0000025DC0C70000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.1919993356.0000025DC155A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1848693938.0000025DC187F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.1846313703.0000025DC1819000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.1964085858.0000025DC81AA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.1945004536.0000025DC31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940532313.0000025DC97A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1991018926.0000025DCA12E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1989596586.0000025DC97A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982591236.0000019C12112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2983915248.0000015CEF313000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.1823399315.0000025DC81AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1944121193.0000025DC7B20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997731016.0000025DC7B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1967011253.0000025DC7B20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.1966236221.0000025DC7B59000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.1838265994.0000025DC0D42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1966084579.0000025DC7BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1957492546.0000025DC175F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1921506551.0000025DC0D9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1896720995.0000025DBFDDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1980970118.0000025DC0A45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1931730203.0000025DC15CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1860018092.0000025DC15CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1919993356.0000025DC15D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1866390115.0000025DC15D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1831008415.0000025DC0CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1861296796.0000025DC15D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1908973287.0000025DC15B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1824370852.0000025DC22B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1946153755.0000025DC313E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1959043611.0000025DC15C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1856155169.0000025DC18D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1847886889.0000025DC7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1968998736.0000025DC3126000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1914601133.0000025DC0C65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1936023312.0000025DC0C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1919993356.0000025DC154C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.1945004536.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1984968071.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1967601566.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997850062.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.1945004536.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1984968071.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1994887450.0000025DC1F5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1967601566.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997850062.0000025DC3157000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.1942946978.0000025DC7B71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997325607.0000025DC7B71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1983634736.0000025DC7B71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1966236221.0000025DC7B71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1950903222.0000025DC25CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1942509268.0000025DC7BD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1950903222.0000025DC25CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1942509268.0000025DC7BD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1924683768.0000025DC7C4E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.1964085858.0000025DC81C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1823399315.0000025DC81C0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1953960629.0000025DBF239000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1783888115.0000025DBF233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1784172180.0000025DBF21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1784627926.0000025DBF233000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.1838265994.0000025DC0D42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1846313703.0000025DC1891000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1838727903.0000025DC0C70000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.1950903222.0000025DC25E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1970782428.0000025DC25E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1967601566.0000025DC3179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1945004536.0000025DC3179000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1992373393.0000025DC317D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1984968071.0000025DC3179000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.1847827586.0000025DC155B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1838265994.0000025DC0D81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1846313703.0000025DC187F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1843340560.0000025DC0CAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1839868884.0000025DC128D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1934558219.0000025DBBB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1953960629.0000025DBF239000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1783888115.0000025DBF233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1784172180.0000025DBF21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1784627926.0000025DBF233000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 00000010.00000002.2984181239.000001BA70AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2982591236.0000019C121EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2988501516.0000015CEF503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.1945004536.0000025DC31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1991622042.0000025DC7DCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.1823399315.0000025DC81AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1944121193.0000025DC7B20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997731016.0000025DC7B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1967011253.0000025DC7B20000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.1996002142.0000025DCBAE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1939176939.0000025DCBA7C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.1777980476.0000025DBF800000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.1964395077.0000025DC7FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1779802616.0000025DBFA3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1781889675.0000025DBFA5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1777980476.0000025DBF800000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.1966236221.0000025DC7B59000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.2983638724.000001BA70810000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2987427681.0000019C12260000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2983073424.0000015CEF230000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000E.00000003.1964759054.0000025DC7DC0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vk.com/	firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000E.00000003.1942946978.0000025DC7B71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1823399315.0000025DC81AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1997325607.0000025DC7B71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1983634736.0000025DC7B71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1966236221.0000025DC7B71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.186.142	youtube.com	United States	15169	GOOGLEUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544114
Start date and time:	2024-10-28 20:59:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@35/34@73/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.218.156.47, 34.211.181.209, 52.32.18.233, 2.22.61.56, 2.22.61.59, 142.250.185.238, 142.250.186.74, 216.58.206.78
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 6984 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:00:10	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	http://shoutout.wix.com	Get hash	malicious	Unknown	Browse	157.240.0.35
	http://bigfoot99.com	Get hash	malicious	Unknown	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:91f62fbc-7621-46ca-93fe-fff80a9adcde	Get hash	malicious	Unknown	Browse	151.101.129.138
	https://e.trustifi.com/#/fff2a6/655144/3ac50c/e93bb8/594e42/41c163/f1cd98/92ee40/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/848a7a/9632d0/879ea4/bcfc0d/744595/93daa1/f34456/a15015/3ddaed/fad545/1fd970/328bf8/9bb3f0/c514cd/df7a51/88456c/c9366d/790245/fb6752/33794d/6e0d28/60381b/a98a06/87eaef/01f4e4/642891/927008/b3d84b/be88ef/6f56ca/922d7f/c2017a/2b28ce/5f100a/ab5cfe/ca732f/ba9f64/6c13c0/db448e/12afff/ea859a/0054d0/06ab25/ddf455/c36939/fe771f/592f7f/fd9f55/51d733/4f5c46/02cddd/dbef71/7c02e0/b3eaba/7eac45/4a8768/a7dd16/2174e0/de559c/dacc2a/571f0f/f5f216/44ee34/abbbf4/b6cd49/d82da6/795ff3/bc1fdf/8febc7/4b7488/0cb4fb/7ef03b/a191c5/4d2316/483906/0c1e88	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://myworkspacec1d73.myclickfunnels.com/onlinereview--9097d?preview=true	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/	Get hash	malicious	Unknown	Browse	151.101.2.137
	renier_visser-In Employee -11384.pdf	Get hash	malicious	Unknown	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://shoutout.wix.com	Get hash	malicious	Unknown	Browse	34.49.229.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d9523c2c-1f83-407d-8b80-8d842bf553ce.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.17706145101929
Encrypted:	false
SSDEEP:	192:6jMXrnQcbhbVbTbfbRbObtbyEl7nUrNCJA6WnSrDtTUd/SkDrQ:6YMcNhnzFSJ0rNxBnSrDhUd/y
MD5:	5D334DE2AF0DB6598F6B0E17E2DF2738
SHA1:	BB82A5087A2E9DFA10C8333496EB625F49369D6C
SHA-256:	B853F6B0CAB7EF50252B01CC4CAE6AD31E5FED72343C13257F73FB261FAA836F
SHA-512:	14DCD138E8EC319AA91E61B957CC7A5F0C5F533D441929D4FB22D02B79E64F2C05281C7547C3AC27A938B98EB15A17B6831B8ACAD1B67B666B77542015C98BA9
Malicious:	false
Preview:	{"type":"uninstall","id":"d9523c2c-1f83-407d-8b80-8d842bf553ce","creationDate":"2024-10-28T21:08:14.225Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d9523c2c-1f83-407d-8b80-8d842bf553ce.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.17706145101929
Encrypted:	false
SSDEEP:	192:6jMXrnQcbhbVbTbfbRbObtbyEl7nUrNCJA6WnSrDtTUd/SkDrQ:6YMcNhnzFSJ0rNxBnSrDhUd/y
MD5:	5D334DE2AF0DB6598F6B0E17E2DF2738
SHA1:	BB82A5087A2E9DFA10C8333496EB625F49369D6C
SHA-256:	B853F6B0CAB7EF50252B01CC4CAE6AD31E5FED72343C13257F73FB261FAA836F
SHA-512:	14DCD138E8EC319AA91E61B957CC7A5F0C5F533D441929D4FB22D02B79E64F2C05281C7547C3AC27A938B98EB15A17B6831B8ACAD1B67B666B77542015C98BA9
Malicious:	false
Preview:	{"type":"uninstall","id":"d9523c2c-1f83-407d-8b80-8d842bf553ce","creationDate":"2024-10-28T21:08:14.225Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929113085440699
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNk9d:8S+OfJQPUFpOdwNIOdYVjvYcXaNLHS8P
MD5:	028F8899403B5337A94B838D89696846
SHA1:	5B584D2727532FF7D4BEABE78D8F0430B1577783
SHA-256:	5F34280859210E2A71943F61D8D0659604B96B9E811B10B9B579B4167505EEF9
SHA-512:	7F1A09659F5A3DC01C55C43C737BBD7877FD9D9B6A74E852B6939D2ECB9D89E834582182BD160E9BBC23F6CF756C49E23B4095CD976A45488F18C0DDC5D6746C
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929113085440699
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNk9d:8S+OfJQPUFpOdwNIOdYVjvYcXaNLHS8P
MD5:	028F8899403B5337A94B838D89696846
SHA1:	5B584D2727532FF7D4BEABE78D8F0430B1577783
SHA-256:	5F34280859210E2A71943F61D8D0659604B96B9E811B10B9B579B4167505EEF9
SHA-512:	7F1A09659F5A3DC01C55C43C737BBD7877FD9D9B6A74E852B6939D2ECB9D89E834582182BD160E9BBC23F6CF756C49E23B4095CD976A45488F18C0DDC5D6746C
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329021336285203
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki/xPl/:DLhesh7Owd4+ji/xl
MD5:	D3F01062AAFB159A1631722F0C3B7B3C
SHA1:	D4E20FAB5FAF2376F48354E48C28108D7BC6D9D1
SHA-256:	23E41993940FC31F21D02CECD7845C8950DB94B505CC94E09BD8EF349FACF3B0
SHA-512:	88007D19E9233D825A55658B46940C17C7ABB49111342C27AE977E0C3C6667410C1F3BA0939F09E91FAEE4BF2DA653147CAD41A64DF83039DFB9FC54525A8DBC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035615874395153645
Encrypted:	false
SSDEEP:	3:GtlstFOJkFo95xex4nI3lstFOJkFo95xex4ND89//alEl:GtWtMJT54cYWtMJT54WD89XuM
MD5:	0C62059C1DDD1181D986ECE63FFDF1BC
SHA1:	511D2E8BA4EF0740A756F46D8D2B79A20D017FD4
SHA-256:	2FBF29149C47F15D562101CA2560D3C2EC842C146F24B44A47EE52FB44818533
SHA-512:	3A99551E58A81B3E5F79B3298BDB0BA5827124039EF588A6D11478E7FD6597910C85D17910C7576EC45CE476ED544F812EF854F01159A07825429554B5D99EB4
Malicious:	false
Preview:	..-.......................3....(. .......<../....-.......................3....(. .......<../..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.04001911727921433
Encrypted:	false
SSDEEP:	3:Ol1agjFxHKea/fWWxkRrflliwl8rEXsxdwhml8XW3R2:K8gYeAolliwl8dMhm93w
MD5:	29D973FBFA2B9A672ADF4239003AA048
SHA1:	280C84A1EF0ABEADF7A4AA6F255289DAF9219517
SHA-256:	6579446F2409DA596D842AEA54D0C22DBF4DE9009B89629F3497DCD3DA2F59A1
SHA-512:	175AD5867CC5D5CA3078EDBB68014ACC8F93C288C4DB9C94678D42A92932300883554F7ECA6D3111B9F381479B15D4D997993BB3D556701743A67C9228E69EFE
Malicious:	false
Preview:	7....-........... .......#...."......... ......3..(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495302175542352
Encrypted:	false
SSDEEP:	192:AnaRtLYbBp6Shj4qyaaXG6Kb0Nf95RfGNBw8d+Sl:deQqqoURcwJ0
MD5:	72E2A6A5B475B17EE0CD7CF49C3160B4
SHA1:	9184B70F8451690F5FEAED4C513F8CA9AE6653A1
SHA-256:	7588F92C6ACC27FEDAD68203C6C7F9183A6342DE2BB6C36748B4CB2AE6FB61B4
SHA-512:	365F0D26DA8300DBC37D5A9E38C7C2760A44E985B5F239EC09569E61A6F1CC88E6FEEBC44E061BDD6730EF6DA3AEF9045792E25655AE7821AC9653D67EBB6699
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730149664);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730149664);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730149664);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173014

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495302175542352
Encrypted:	false
SSDEEP:	192:AnaRtLYbBp6Shj4qyaaXG6Kb0Nf95RfGNBw8d+Sl:deQqqoURcwJ0
MD5:	72E2A6A5B475B17EE0CD7CF49C3160B4
SHA1:	9184B70F8451690F5FEAED4C513F8CA9AE6653A1
SHA-256:	7588F92C6ACC27FEDAD68203C6C7F9183A6342DE2BB6C36748B4CB2AE6FB61B4
SHA-512:	365F0D26DA8300DBC37D5A9E38C7C2760A44E985B5F239EC09569E61A6F1CC88E6FEEBC44E061BDD6730EF6DA3AEF9045792E25655AE7821AC9653D67EBB6699
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730149664);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730149664);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730149664);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173014

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.337867763304121
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSY4LXnIgDXQf/pnxQwRlszT5sKt05uU3eHVQj6TdamhujJlO/nIZme:GUpOxH4rqnR6suU3eHTd4JluFR4
MD5:	18726AFE0231027F7C01932F7BA5CBBB
SHA1:	3065E99E1C7516A24099AB95BA9E41FBF279069B
SHA-256:	B102DFBD00674344D0BA80B62A448B1D6DE87E79ACC1EE257D07A1DE0C7C0EEC
SHA-512:	84144733C0DA56F02A8F6589ABB9AE0E7EEA214CB03E93968D47956A3DB58F4C35359D4698B0238B2DAE9FA1DC6E1956D8BAFF53013F0F503924E43C3616C82B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{dbf8d140-9d04-4f7d-b558-4e1e0e137f3b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730149669803,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P33944...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...39508,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.337867763304121
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSY4LXnIgDXQf/pnxQwRlszT5sKt05uU3eHVQj6TdamhujJlO/nIZme:GUpOxH4rqnR6suU3eHTd4JluFR4
MD5:	18726AFE0231027F7C01932F7BA5CBBB
SHA1:	3065E99E1C7516A24099AB95BA9E41FBF279069B
SHA-256:	B102DFBD00674344D0BA80B62A448B1D6DE87E79ACC1EE257D07A1DE0C7C0EEC
SHA-512:	84144733C0DA56F02A8F6589ABB9AE0E7EEA214CB03E93968D47956A3DB58F4C35359D4698B0238B2DAE9FA1DC6E1956D8BAFF53013F0F503924E43C3616C82B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{dbf8d140-9d04-4f7d-b558-4e1e0e137f3b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730149669803,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P33944...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...39508,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.337867763304121
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSY4LXnIgDXQf/pnxQwRlszT5sKt05uU3eHVQj6TdamhujJlO/nIZme:GUpOxH4rqnR6suU3eHTd4JluFR4
MD5:	18726AFE0231027F7C01932F7BA5CBBB
SHA1:	3065E99E1C7516A24099AB95BA9E41FBF279069B
SHA-256:	B102DFBD00674344D0BA80B62A448B1D6DE87E79ACC1EE257D07A1DE0C7C0EEC
SHA-512:	84144733C0DA56F02A8F6589ABB9AE0E7EEA214CB03E93968D47956A3DB58F4C35359D4698B0238B2DAE9FA1DC6E1956D8BAFF53013F0F503924E43C3616C82B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{dbf8d140-9d04-4f7d-b558-4e1e0e137f3b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730149669803,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P33944...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...39508,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0332351705980685
Encrypted:	false
SSDEEP:	48:YrSAYV6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycVyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	624B17DFFB216B53D6F91307CAE1209B
SHA1:	8C2B13E100B85FE777119D5345CDF3CA69FA4AF5
SHA-256:	C787CE62CE5C9D5E1568B0A34D6D13F457BDA9C1EB6F3547995F4E83BE4F3BF3
SHA-512:	6458AA40F7703C8A2B64B47DD2D207B4AB342312C35B3BDE2A2050A5930C21FF6132FD4855987E4A68B6DDFE507A0260F34AA0B3122705186AD4113FADA848E6
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-28T21:07:31.991Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0332351705980685
Encrypted:	false
SSDEEP:	48:YrSAYV6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycVyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	624B17DFFB216B53D6F91307CAE1209B
SHA1:	8C2B13E100B85FE777119D5345CDF3CA69FA4AF5
SHA-256:	C787CE62CE5C9D5E1568B0A34D6D13F457BDA9C1EB6F3547995F4E83BE4F3BF3
SHA-512:	6458AA40F7703C8A2B64B47DD2D207B4AB342312C35B3BDE2A2050A5930C21FF6132FD4855987E4A68B6DDFE507A0260F34AA0B3122705186AD4113FADA848E6
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-28T21:07:31.991Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584690088575646
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	bd756b5e87774e23366cc2a0b637f7cd
SHA1:	a42737da1dca5e7ccee4a31da62baf6e461e2faa
SHA256:	591641077da235f85a97afdab465c12dc3d40b638dc3bfe2b7967ab6138e8a9c
SHA512:	678b882307393b350945dcba26b225f73cedcaa57c5894d5b4f613e43e11d9a34211d739a1e76c135cbecbd25c78c0b1c8be0f54a7533654c0192c9a24f5869d
SSDEEP:	12288:kqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T3:kqDEvCTbMWu7rQYlBQcBiT6rprG8ab3
TLSH:	54159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671FEBFC [Mon Oct 28 19:54:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F38686C9F73h
jmp 00007F38686C987Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F38686C9A5Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F38686C9A2Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F38686CC61Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F38686CC668h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F38686CC651h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	38ec5978de872dcbfcb96d58ece458a7	False	0.31561511075949367	data	5.373596317626974	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 21:00:08.687429905 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:08.687536001 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:08.688077927 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:08.694493055 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:08.694529057 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:09.322788000 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:09.327351093 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:09.329297066 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:09.340336084 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:09.340359926 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:09.340595007 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:09.340702057 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:09.341114998 CET	49738	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:09.341150999 CET	443	49738	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:09.345010042 CET	49738	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:09.345010042 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:09.347103119 CET	49738	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:09.347119093 CET	443	49738	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:11.007240057 CET	443	49738	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:11.007333040 CET	49738	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:11.014810085 CET	49739	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.014861107 CET	443	49739	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.015403032 CET	49740	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.015436888 CET	443	49740	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.015546083 CET	49741	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:11.015883923 CET	49739	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.015907049 CET	49740	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.018135071 CET	49740	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.018150091 CET	443	49740	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.020348072 CET	49739	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.020373106 CET	443	49739	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.022274971 CET	80	49741	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:11.022512913 CET	49741	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:11.022773981 CET	49741	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:11.023152113 CET	49738	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:11.023166895 CET	443	49738	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:11.023261070 CET	49738	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:11.023468018 CET	443	49738	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:11.023626089 CET	49738	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:11.028001070 CET	80	49741	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:11.077755928 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.077805042 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.078943014 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.080950022 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.080966949 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.098432064 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:11.098452091 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:11.099042892 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:11.099234104 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:11.099245071 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:11.163402081 CET	49744	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.163455009 CET	443	49744	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.172441959 CET	49744	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.174843073 CET	49744	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.174868107 CET	443	49744	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.617585897 CET	80	49741	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:11.665796041 CET	49741	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:11.709630966 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.710139990 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.716577053 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.716588020 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.716739893 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.716891050 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.717253923 CET	49746	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.717313051 CET	443	49746	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.717735052 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.717789888 CET	49746	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.719856977 CET	49746	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.719871998 CET	443	49746	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.727638960 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:11.727751017 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:11.731774092 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:11.731780052 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:11.732275963 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:11.735357046 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:11.735457897 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:11.735554934 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:11.735616922 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:11.799195051 CET	443	49744	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.799211025 CET	443	49744	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.801243067 CET	49744	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.806519032 CET	49744	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.806541920 CET	443	49744	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.806687117 CET	49744	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.806814909 CET	443	49744	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.807141066 CET	49744	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.807164907 CET	49747	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.807199955 CET	443	49747	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.807269096 CET	49747	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.809036970 CET	49747	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:11.809052944 CET	443	49747	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:11.867497921 CET	49741	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:11.873338938 CET	80	49741	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:11.878894091 CET	443	49739	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.879591942 CET	443	49739	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.886660099 CET	49741	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:11.886728048 CET	49739	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.886754036 CET	443	49739	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.892533064 CET	49748	443	192.168.2.4	34.160.144.191
Oct 28, 2024 21:00:11.892620087 CET	443	49748	34.160.144.191	192.168.2.4
Oct 28, 2024 21:00:11.899236917 CET	49748	443	192.168.2.4	34.160.144.191
Oct 28, 2024 21:00:11.900959969 CET	49748	443	192.168.2.4	34.160.144.191
Oct 28, 2024 21:00:11.900998116 CET	443	49748	34.160.144.191	192.168.2.4
Oct 28, 2024 21:00:11.903310061 CET	49739	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.903372049 CET	443	49739	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.903403997 CET	49739	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.904042006 CET	443	49739	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.904386044 CET	49739	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.919277906 CET	443	49740	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.920300007 CET	443	49740	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.924453974 CET	49740	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.924469948 CET	443	49740	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.928997993 CET	49740	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.929008007 CET	443	49740	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.929074049 CET	49740	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:11.929203987 CET	443	49740	142.250.186.142	192.168.2.4
Oct 28, 2024 21:00:11.929532051 CET	49740	443	192.168.2.4	142.250.186.142
Oct 28, 2024 21:00:12.139172077 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:12.139261961 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:12.144716978 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:12.144927979 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:12.165026903 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:12.165030956 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:12.207896948 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:12.208009005 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:12.213325024 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:12.213671923 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:12.343116045 CET	443	49746	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:12.346393108 CET	49746	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:12.386462927 CET	49746	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:12.386480093 CET	443	49746	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:12.386533022 CET	49746	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:12.386888981 CET	443	49746	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:12.406845093 CET	49746	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:12.440133095 CET	443	49747	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:12.447241068 CET	49747	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:12.450810909 CET	49747	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:12.450880051 CET	443	49747	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:12.450911999 CET	49747	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:12.451154947 CET	443	49747	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:12.451534033 CET	49747	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:12.493221045 CET	49752	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:12.493273973 CET	443	49752	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:12.493834019 CET	49752	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:12.495644093 CET	49752	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:12.495661020 CET	443	49752	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:12.518111944 CET	443	49748	34.160.144.191	192.168.2.4
Oct 28, 2024 21:00:12.518131971 CET	443	49748	34.160.144.191	192.168.2.4
Oct 28, 2024 21:00:12.528459072 CET	49748	443	192.168.2.4	34.160.144.191
Oct 28, 2024 21:00:12.534658909 CET	49748	443	192.168.2.4	34.160.144.191
Oct 28, 2024 21:00:12.534687996 CET	443	49748	34.160.144.191	192.168.2.4
Oct 28, 2024 21:00:12.535109043 CET	443	49748	34.160.144.191	192.168.2.4
Oct 28, 2024 21:00:12.536936998 CET	49748	443	192.168.2.4	34.160.144.191
Oct 28, 2024 21:00:12.537009001 CET	49748	443	192.168.2.4	34.160.144.191
Oct 28, 2024 21:00:12.537164927 CET	443	49748	34.160.144.191	192.168.2.4
Oct 28, 2024 21:00:12.537178993 CET	49748	443	192.168.2.4	34.160.144.191
Oct 28, 2024 21:00:12.544914961 CET	49748	443	192.168.2.4	34.160.144.191
Oct 28, 2024 21:00:12.756442070 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:12.771302938 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:12.810350895 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:12.830593109 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:13.143290997 CET	443	49752	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:13.145150900 CET	49752	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:13.149861097 CET	49752	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:13.149895906 CET	443	49752	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:13.149969101 CET	49752	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:13.150180101 CET	443	49752	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:13.150449991 CET	49752	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:13.697261095 CET	49754	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:13.697298050 CET	443	49754	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:13.697920084 CET	49754	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:13.699374914 CET	49754	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:13.699387074 CET	443	49754	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:13.813744068 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:13.819243908 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:13.862571955 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:13.868062973 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:13.949985981 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:13.987694979 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:14.023346901 CET	49755	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:14.023399115 CET	443	49755	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:14.023981094 CET	49755	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:14.025238037 CET	49755	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:14.025260925 CET	443	49755	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:14.038572073 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:14.038701057 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:14.065773010 CET	49756	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:14.065851927 CET	443	49756	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:14.066035032 CET	49756	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:14.067222118 CET	49756	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:14.067259073 CET	443	49756	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:14.388286114 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:14.640355110 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:14.949896097 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:15.183103085 CET	443	49754	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:15.183234930 CET	49754	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.184561014 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:15.184598923 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:15.184627056 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:15.187325954 CET	49754	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.187336922 CET	443	49754	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:15.187429905 CET	49754	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.187477112 CET	443	49754	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:15.187797070 CET	49757	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.187815905 CET	49754	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.187833071 CET	443	49757	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:15.187997103 CET	49757	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.189120054 CET	49757	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.189133883 CET	443	49757	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:15.189671040 CET	443	49755	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:15.189728022 CET	49755	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:15.191431046 CET	443	49756	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:15.191631079 CET	49756	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:15.194520950 CET	49755	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:15.194535971 CET	443	49755	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:15.194583893 CET	49755	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:15.194725037 CET	443	49755	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:15.194931984 CET	49755	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:15.196499109 CET	49756	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:15.196527958 CET	443	49756	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:15.196576118 CET	49756	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:15.196805000 CET	443	49756	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:15.196870089 CET	49756	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:15.305699110 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:15.444818020 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:15.777560949 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:15.779187918 CET	49759	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:15.779254913 CET	443	49759	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:15.783463955 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:15.788970947 CET	49759	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:15.792958975 CET	49759	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:15.792978048 CET	443	49759	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:15.802933931 CET	443	49757	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:15.805237055 CET	49760	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:15.805309057 CET	443	49760	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:15.811347008 CET	443	49757	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:15.814443111 CET	49760	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:15.814455032 CET	49757	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.814877033 CET	49757	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.817224026 CET	49760	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:15.817259073 CET	443	49760	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:15.821284056 CET	49757	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.821291924 CET	443	49757	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:15.821388006 CET	49757	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.821805000 CET	443	49757	34.117.188.166	192.168.2.4
Oct 28, 2024 21:00:15.825067997 CET	49761	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:15.825110912 CET	443	49761	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:15.825829029 CET	49757	443	192.168.2.4	34.117.188.166
Oct 28, 2024 21:00:15.825864077 CET	49761	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:15.827229023 CET	49761	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:15.827249050 CET	443	49761	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:15.902628899 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:15.943197966 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:16.418131113 CET	443	49759	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:16.418168068 CET	443	49759	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:16.418215036 CET	49759	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:16.423257113 CET	49759	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:16.423279047 CET	443	49759	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:16.423429966 CET	49759	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:16.423722029 CET	443	49759	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:16.423775911 CET	49759	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:16.441036940 CET	443	49760	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:16.441071033 CET	443	49760	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:16.441128969 CET	49760	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:16.443742990 CET	49760	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:16.443787098 CET	443	49760	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:16.444242954 CET	443	49760	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:16.446522951 CET	49760	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:16.446590900 CET	49760	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:16.446733952 CET	443	49760	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:16.446815968 CET	49760	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:16.459568024 CET	443	49761	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:16.459645033 CET	49761	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:16.464180946 CET	49761	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:16.464195013 CET	443	49761	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:16.464253902 CET	49761	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:16.464467049 CET	443	49761	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:16.464526892 CET	49761	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:22.404860973 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:22.410357952 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:22.458262920 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:22.463869095 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:22.465369940 CET	49767	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:22.465409994 CET	443	49767	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:22.467927933 CET	49767	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:22.469216108 CET	49767	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:22.469239950 CET	443	49767	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:22.532368898 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:22.579612970 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:22.582063913 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:22.626509905 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:23.095525980 CET	443	49767	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:23.095649004 CET	49767	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:24.076383114 CET	49767	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:24.076417923 CET	443	49767	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:24.076488018 CET	49767	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:24.077060938 CET	443	49767	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:24.087622881 CET	49767	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:24.133574963 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:24.135992050 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.136075974 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.136332989 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.136440992 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.137948990 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.137950897 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.138148069 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.138178110 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.138282061 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.138317108 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.140068054 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:24.188195944 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.188229084 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.197938919 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.200052023 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.200079918 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.206367970 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:24.215878010 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:24.260994911 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:24.315917969 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:24.333424091 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:24.400567055 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:24.534051895 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:24.539666891 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:24.661150932 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:24.701972961 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:24.756212950 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.756373882 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.766427994 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.768991947 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.768999100 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.769048929 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.769784927 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.817883968 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.828726053 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.828773022 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.829667091 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.848601103 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.848741055 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.848866940 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.848942995 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.849165916 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.849340916 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.849663973 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.849747896 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.850049019 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.850079060 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.850143909 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.876297951 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.876367092 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.876409054 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:24.876878023 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:24.876955032 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:26.140357971 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:26.145905018 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:26.264163017 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:26.272301912 CET	49771	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:26.272382975 CET	443	49771	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:26.272588015 CET	49771	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:26.274327040 CET	49771	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:26.274360895 CET	443	49771	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:26.306824923 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:26.368319035 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:26.373720884 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:26.495024920 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:26.538661957 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:26.897705078 CET	443	49771	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:26.897811890 CET	49771	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:26.903491974 CET	49771	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:26.903510094 CET	443	49771	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:26.903630972 CET	49771	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:26.903666973 CET	443	49771	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:26.906301022 CET	49771	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:27.003950119 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:27.005436897 CET	49772	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:27.005530119 CET	443	49772	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:27.006556988 CET	49772	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:27.008505106 CET	49772	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:27.008541107 CET	443	49772	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:27.009757996 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:27.127898932 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:27.171684980 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:27.207545996 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:27.213782072 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:27.335445881 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:27.394429922 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:27.616065025 CET	443	49772	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:27.616167068 CET	49772	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:27.737737894 CET	49772	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:27.737814903 CET	443	49772	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:27.737864971 CET	49772	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:27.738037109 CET	443	49772	34.120.208.123	192.168.2.4
Oct 28, 2024 21:00:27.738109112 CET	49772	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:00:27.746474028 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:27.751930952 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:27.869966984 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:27.911477089 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:27.962234020 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:28.196728945 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:28.497575045 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:28.960915089 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:28.960983992 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:28.961237907 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:28.961292982 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:28.961613894 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:28.961666107 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:28.962986946 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:28.963016033 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:28.963048935 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:29.083442926 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:29.130517006 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:34.233880997 CET	61029	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:34.233985901 CET	443	61029	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:34.245173931 CET	61029	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:34.246999025 CET	61029	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:34.247030973 CET	443	61029	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:34.857378960 CET	443	61029	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:34.857393980 CET	443	61029	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:34.857475042 CET	61029	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:34.862685919 CET	61029	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:34.862696886 CET	443	61029	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:34.862802982 CET	61029	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:34.862955093 CET	443	61029	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:34.863055944 CET	61029	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:34.865911961 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:34.871468067 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:34.990310907 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:34.994404078 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:34.999886036 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:35.031811953 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:35.121328115 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:35.163361073 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:36.605973959 CET	61031	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:36.606017113 CET	443	61031	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:36.606463909 CET	61031	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:36.606463909 CET	61031	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:36.606506109 CET	443	61031	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:36.634275913 CET	61032	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:36.634320021 CET	443	61032	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:36.634749889 CET	61032	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:36.634911060 CET	61032	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:36.634938955 CET	443	61032	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:36.636286020 CET	61033	443	192.168.2.4	151.101.1.91
Oct 28, 2024 21:00:36.636312962 CET	443	61033	151.101.1.91	192.168.2.4
Oct 28, 2024 21:00:36.636528969 CET	61033	443	192.168.2.4	151.101.1.91
Oct 28, 2024 21:00:36.636816978 CET	61033	443	192.168.2.4	151.101.1.91
Oct 28, 2024 21:00:36.636832952 CET	443	61033	151.101.1.91	192.168.2.4
Oct 28, 2024 21:00:36.667447090 CET	61034	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:36.667529106 CET	443	61034	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:36.667794943 CET	61034	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:36.669435024 CET	61034	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:36.669488907 CET	443	61034	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:36.685651064 CET	61035	443	192.168.2.4	35.201.103.21
Oct 28, 2024 21:00:36.685695887 CET	443	61035	35.201.103.21	192.168.2.4
Oct 28, 2024 21:00:36.694777966 CET	61035	443	192.168.2.4	35.201.103.21
Oct 28, 2024 21:00:36.696369886 CET	61035	443	192.168.2.4	35.201.103.21
Oct 28, 2024 21:00:36.696405888 CET	443	61035	35.201.103.21	192.168.2.4
Oct 28, 2024 21:00:37.248016119 CET	443	61031	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.248106003 CET	61031	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.249572992 CET	443	61032	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.249677896 CET	61032	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.251985073 CET	61031	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.252016068 CET	443	61031	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.252233982 CET	443	61031	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.254590034 CET	61032	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.254616976 CET	443	61032	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.255168915 CET	443	61032	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.257257938 CET	443	61033	151.101.1.91	192.168.2.4
Oct 28, 2024 21:00:37.257446051 CET	61031	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.257539988 CET	61031	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.257595062 CET	443	61031	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.257611990 CET	61033	443	192.168.2.4	151.101.1.91
Oct 28, 2024 21:00:37.258004904 CET	61031	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.261698961 CET	61033	443	192.168.2.4	151.101.1.91
Oct 28, 2024 21:00:37.261708021 CET	443	61033	151.101.1.91	192.168.2.4
Oct 28, 2024 21:00:37.261754990 CET	61032	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.261972904 CET	443	61032	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.262092113 CET	443	61033	151.101.1.91	192.168.2.4
Oct 28, 2024 21:00:37.262197018 CET	61032	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.262213945 CET	443	61032	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.262455940 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:37.266042948 CET	61033	443	192.168.2.4	151.101.1.91
Oct 28, 2024 21:00:37.266149998 CET	61033	443	192.168.2.4	151.101.1.91
Oct 28, 2024 21:00:37.266252041 CET	443	61033	151.101.1.91	192.168.2.4
Oct 28, 2024 21:00:37.267911911 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:37.269480944 CET	61033	443	192.168.2.4	151.101.1.91
Oct 28, 2024 21:00:37.272782087 CET	61036	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.272844076 CET	443	61036	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.273019075 CET	61036	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.273149967 CET	61036	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.273181915 CET	443	61036	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.274422884 CET	443	61034	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:37.275151968 CET	61037	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.275202036 CET	443	61037	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.275552034 CET	61037	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.275551081 CET	61034	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:37.277661085 CET	61037	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.277687073 CET	443	61037	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.278645039 CET	61038	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.278669119 CET	443	61038	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.279405117 CET	61038	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.279530048 CET	61038	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.279553890 CET	443	61038	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.281104088 CET	61034	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:37.281127930 CET	443	61034	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:37.281210899 CET	61034	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:37.281332016 CET	443	61034	35.190.72.216	192.168.2.4
Oct 28, 2024 21:00:37.281521082 CET	61034	443	192.168.2.4	35.190.72.216
Oct 28, 2024 21:00:37.313186884 CET	443	61035	35.201.103.21	192.168.2.4
Oct 28, 2024 21:00:37.313196898 CET	443	61035	35.201.103.21	192.168.2.4
Oct 28, 2024 21:00:37.313249111 CET	61035	443	192.168.2.4	35.201.103.21
Oct 28, 2024 21:00:37.316381931 CET	61035	443	192.168.2.4	35.201.103.21
Oct 28, 2024 21:00:37.316396952 CET	443	61035	35.201.103.21	192.168.2.4
Oct 28, 2024 21:00:37.316447973 CET	61035	443	192.168.2.4	35.201.103.21
Oct 28, 2024 21:00:37.316560030 CET	443	61035	35.201.103.21	192.168.2.4
Oct 28, 2024 21:00:37.317286968 CET	61035	443	192.168.2.4	35.201.103.21
Oct 28, 2024 21:00:37.328785896 CET	61039	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.328821898 CET	443	61039	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.328946114 CET	61039	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.329056978 CET	61039	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.329072952 CET	443	61039	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.386434078 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:37.389255047 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:37.394567966 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:37.438711882 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:37.467350960 CET	443	61032	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.467470884 CET	61032	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.515929937 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:37.570245028 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:37.883364916 CET	443	61036	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.883455038 CET	61036	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.883461952 CET	443	61037	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.883774996 CET	61037	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.886075020 CET	61036	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.886089087 CET	443	61036	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.886466980 CET	443	61036	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.889273882 CET	61037	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.889301062 CET	443	61037	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.889651060 CET	443	61037	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.892271042 CET	61036	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.892362118 CET	61036	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.892476082 CET	443	61036	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.892646074 CET	61037	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.892687082 CET	61037	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.892880917 CET	61036	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.893085957 CET	443	61037	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.893348932 CET	61037	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.897820950 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:37.903343916 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:37.928318977 CET	443	61038	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.928401947 CET	61038	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.930715084 CET	61038	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.930723906 CET	443	61038	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.931771994 CET	443	61038	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.933501005 CET	61038	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.933613062 CET	61038	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.933692932 CET	443	61038	35.244.181.201	192.168.2.4
Oct 28, 2024 21:00:37.934271097 CET	61038	443	192.168.2.4	35.244.181.201
Oct 28, 2024 21:00:37.958276987 CET	443	61039	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.958359957 CET	61039	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.961225986 CET	61039	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.961236954 CET	443	61039	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.961982012 CET	443	61039	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.963674068 CET	61039	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.963778973 CET	61039	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:37.963850975 CET	443	61039	34.149.100.209	192.168.2.4
Oct 28, 2024 21:00:37.964322090 CET	61039	443	192.168.2.4	34.149.100.209
Oct 28, 2024 21:00:38.021152973 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:38.024229050 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:38.029640913 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:38.071679115 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:38.151191950 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:38.203236103 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:48.032567978 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:48.038194895 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:48.155009031 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:48.161041021 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:50.653430939 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:50.658818960 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:50.777251005 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:50.780792952 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:50.786334991 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:50.825145960 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:50.907474995 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:50.963234901 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:55.086675882 CET	61044	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:55.086762905 CET	443	61044	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:55.086999893 CET	61044	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:55.088226080 CET	61044	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:55.088260889 CET	443	61044	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:55.717292070 CET	443	61044	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:55.717509031 CET	61044	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:55.722290039 CET	61044	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:55.722320080 CET	443	61044	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:55.722384930 CET	61044	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:55.722886086 CET	443	61044	34.107.243.93	192.168.2.4
Oct 28, 2024 21:00:55.723459959 CET	61044	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:00:55.724853992 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:55.730310917 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:55.849498034 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:55.853153944 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:55.858741045 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:55.891818047 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:00:55.980133057 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:00:56.023392916 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:05.856847048 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:05.862226009 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:05.988285065 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:05.993658066 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:06.651138067 CET	61111	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:06.651196957 CET	443	61111	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:06.651556015 CET	61112	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:06.651596069 CET	443	61112	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:06.656260967 CET	61111	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:06.656481981 CET	61111	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:06.656481981 CET	61112	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:06.656498909 CET	443	61111	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:06.656652927 CET	61112	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:06.656668901 CET	443	61112	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:06.660684109 CET	61113	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:06.660742998 CET	443	61113	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:06.674968004 CET	61113	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:06.675288916 CET	61113	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:06.675334930 CET	443	61113	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.259989023 CET	443	61112	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.260098934 CET	61112	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.264508009 CET	61112	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.264523983 CET	443	61112	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.264862061 CET	443	61112	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.268208981 CET	61112	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.268368959 CET	61112	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.268474102 CET	443	61112	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.272739887 CET	61112	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.274655104 CET	443	61111	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.275310040 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:07.275779963 CET	61111	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.280220985 CET	61111	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.280230999 CET	443	61111	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.280482054 CET	443	61111	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.280730963 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:07.283374071 CET	61111	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.283503056 CET	61111	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.283545017 CET	443	61111	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.285056114 CET	61111	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.299058914 CET	443	61113	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.299093962 CET	443	61113	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.302476883 CET	61113	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.306839943 CET	61113	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.306863070 CET	443	61113	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.307653904 CET	443	61113	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.310225964 CET	61113	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.310369968 CET	61113	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.310630083 CET	443	61113	34.120.208.123	192.168.2.4
Oct 28, 2024 21:01:07.311794996 CET	61113	443	192.168.2.4	34.120.208.123
Oct 28, 2024 21:01:07.399502039 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:07.406214952 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:07.413018942 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:07.445957899 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:07.534449100 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:07.577593088 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:17.407155037 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:17.412590981 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:17.538690090 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:17.544507980 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:27.421309948 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:27.426695108 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:27.552719116 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:27.558300018 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:35.738277912 CET	61274	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:01:35.738320112 CET	443	61274	34.107.243.93	192.168.2.4
Oct 28, 2024 21:01:35.738718033 CET	61274	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:01:35.740721941 CET	61274	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:01:35.740739107 CET	443	61274	34.107.243.93	192.168.2.4
Oct 28, 2024 21:01:36.376399994 CET	443	61274	34.107.243.93	192.168.2.4
Oct 28, 2024 21:01:36.376482010 CET	61274	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:01:36.383672953 CET	61274	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:01:36.383682966 CET	443	61274	34.107.243.93	192.168.2.4
Oct 28, 2024 21:01:36.383821964 CET	61274	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:01:36.383897066 CET	443	61274	34.107.243.93	192.168.2.4
Oct 28, 2024 21:01:36.384968042 CET	61274	443	192.168.2.4	34.107.243.93
Oct 28, 2024 21:01:36.387936115 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:36.394074917 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:36.512089968 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:36.515897989 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:36.521457911 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:36.564450979 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:36.643332005 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:36.696048975 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:46.524524927 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:46.530220985 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:46.646981001 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:46.652445078 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:56.537885904 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:56.543525934 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:01:56.653743029 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:01:56.659369946 CET	80	49750	34.107.221.82	192.168.2.4
Oct 28, 2024 21:02:06.553539991 CET	49751	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:02:06.558928967 CET	80	49751	34.107.221.82	192.168.2.4
Oct 28, 2024 21:02:06.669354916 CET	49750	80	192.168.2.4	34.107.221.82
Oct 28, 2024 21:02:06.674695969 CET	80	49750	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 21:00:08.687999010 CET	61060	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:08.695658922 CET	53	61060	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:08.721278906 CET	53780	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:08.729989052 CET	53	53780	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:10.691047907 CET	50637	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:10.691164017 CET	49780	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.007678986 CET	53	50637	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.012856007 CET	51351	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.013448954 CET	54159	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.020675898 CET	53	51351	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.020694017 CET	53	54159	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.024324894 CET	56364	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.024475098 CET	53202	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.032026052 CET	53	56364	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.033289909 CET	53	53202	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.067428112 CET	64091	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.075445890 CET	53	64091	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.078429937 CET	56312	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.087589979 CET	53	56312	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.096961021 CET	65250	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.098937988 CET	49956	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.104542017 CET	53	65250	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.106452942 CET	53	49956	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.111579895 CET	54738	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.119656086 CET	53	54738	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.121782064 CET	49203	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.130784035 CET	53	49203	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.164261103 CET	62377	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.171535969 CET	53	62377	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.174452066 CET	58255	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.182286978 CET	53	58255	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.862338066 CET	57854	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.863728046 CET	50293	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.868499041 CET	58418	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.870294094 CET	53	57854	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.871021032 CET	53	50293	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.875922918 CET	53	58418	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.893075943 CET	62670	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.923983097 CET	63657	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.934216022 CET	53	63657	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.938760042 CET	53965	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:11.947422028 CET	53	53965	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.953896046 CET	53	55270	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:11.973413944 CET	57390	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:12.493694067 CET	58461	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:12.502532005 CET	53	58461	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:12.538285017 CET	64174	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:12.547362089 CET	53	64174	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:12.636468887 CET	57797	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:12.645494938 CET	53	57797	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:12.647160053 CET	52391	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:12.654541016 CET	53	52391	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:12.657062054 CET	55125	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:12.666237116 CET	53	55125	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:15.799940109 CET	52045	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:15.807800055 CET	53	52045	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:15.825400114 CET	56482	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:15.835969925 CET	53	56482	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:15.841248989 CET	59868	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:15.849816084 CET	53	59868	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:18.127455950 CET	50663	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:18.138936043 CET	53	50663	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:18.157572985 CET	61917	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:18.165824890 CET	53	61917	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:18.166503906 CET	51967	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:18.175642014 CET	53	51967	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:22.466077089 CET	50376	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:22.473453999 CET	53	50376	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:24.137820005 CET	58244	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:24.146310091 CET	53	58244	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.510787964 CET	54106	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.511070967 CET	57714	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.837523937 CET	62331	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.964320898 CET	53	54106	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.964663029 CET	53	62331	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.965184927 CET	53	57714	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.965200901 CET	52176	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.965873003 CET	61580	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.966013908 CET	53868	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.973140001 CET	53	52176	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.973612070 CET	56705	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.973706007 CET	53	61580	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.973738909 CET	53	53868	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.974211931 CET	57741	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.974325895 CET	52553	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.981296062 CET	53	56705	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.981833935 CET	50018	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.982165098 CET	53	52553	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.982635021 CET	50289	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.982944965 CET	53	57741	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.990464926 CET	53	50289	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.990935087 CET	65000	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.992805004 CET	53	50018	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.993273973 CET	54421	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:28.998729944 CET	53	65000	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:28.999187946 CET	64223	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:29.001852989 CET	53	54421	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:29.002259016 CET	61694	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:29.007050037 CET	53	64223	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:29.011110067 CET	53	61694	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:31.879928112 CET	53	58304	162.159.36.2	192.168.2.4
Oct 28, 2024 21:00:32.565396070 CET	59127	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:32.763559103 CET	53	59127	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:34.217818022 CET	50129	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:34.225541115 CET	53	50129	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:34.230612040 CET	56490	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:34.238596916 CET	53	56490	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:34.868068933 CET	59430	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:34.876859903 CET	64508	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:34.884995937 CET	53	64508	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:34.885538101 CET	50277	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:34.893827915 CET	53	50277	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:34.991808891 CET	56612	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:34.992024899 CET	61997	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:35.000338078 CET	53	61997	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:35.000556946 CET	53	56612	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:36.605842113 CET	53562	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:36.613781929 CET	53	53562	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:36.623471022 CET	50620	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:36.625971079 CET	65490	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:36.632306099 CET	53	50620	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:36.635251045 CET	53	65490	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:36.637126923 CET	62473	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:36.644912004 CET	53	62473	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:36.653711081 CET	54660	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:36.662208080 CET	53	54660	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:36.669820070 CET	52593	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:36.678445101 CET	53	52593	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:36.689326048 CET	65188	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:36.697935104 CET	53	65188	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:36.702353001 CET	63980	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:36.712100983 CET	53	63980	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:55.077950001 CET	56672	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:55.085668087 CET	53	56672	1.1.1.1	192.168.2.4
Oct 28, 2024 21:00:55.086966038 CET	55644	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:00:55.094562054 CET	53	55644	1.1.1.1	192.168.2.4
Oct 28, 2024 21:01:06.648869038 CET	64990	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:01:06.657708883 CET	53	64990	1.1.1.1	192.168.2.4
Oct 28, 2024 21:01:06.660067081 CET	58817	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:01:06.667901039 CET	53	58817	1.1.1.1	192.168.2.4
Oct 28, 2024 21:01:07.275705099 CET	52351	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:01:35.738573074 CET	55588	53	192.168.2.4	1.1.1.1
Oct 28, 2024 21:01:35.746304989 CET	53	55588	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 21:00:08.687999010 CET	192.168.2.4	1.1.1.1	0x835b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:08.721278906 CET	192.168.2.4	1.1.1.1	0x33ff	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:10.691047907 CET	192.168.2.4	1.1.1.1	0xa0a5	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:10.691164017 CET	192.168.2.4	1.1.1.1	0x2a72	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.012856007 CET	192.168.2.4	1.1.1.1	0xceef	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.013448954 CET	192.168.2.4	1.1.1.1	0x1991	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.024324894 CET	192.168.2.4	1.1.1.1	0x5d9f	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:11.024475098 CET	192.168.2.4	1.1.1.1	0xfb92	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:11.067428112 CET	192.168.2.4	1.1.1.1	0x5320	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.078429937 CET	192.168.2.4	1.1.1.1	0xb264	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.096961021 CET	192.168.2.4	1.1.1.1	0x67b9	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:11.098937988 CET	192.168.2.4	1.1.1.1	0xd44	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.111579895 CET	192.168.2.4	1.1.1.1	0xabaa	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:11.121782064 CET	192.168.2.4	1.1.1.1	0x429f	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.164261103 CET	192.168.2.4	1.1.1.1	0xeeb3	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.174452066 CET	192.168.2.4	1.1.1.1	0x636c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:11.862338066 CET	192.168.2.4	1.1.1.1	0xf04a	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.863728046 CET	192.168.2.4	1.1.1.1	0x88e5	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.868499041 CET	192.168.2.4	1.1.1.1	0x7a7b	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.893075943 CET	192.168.2.4	1.1.1.1	0x4a04	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.923983097 CET	192.168.2.4	1.1.1.1	0xa07b	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.938760042 CET	192.168.2.4	1.1.1.1	0xbe52	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:11.973413944 CET	192.168.2.4	1.1.1.1	0xc1c8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:12.493694067 CET	192.168.2.4	1.1.1.1	0x37b1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:12.538285017 CET	192.168.2.4	1.1.1.1	0x87a4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:12.636468887 CET	192.168.2.4	1.1.1.1	0x5d6d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:12.647160053 CET	192.168.2.4	1.1.1.1	0xda8c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:12.657062054 CET	192.168.2.4	1.1.1.1	0x97c6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:15.799940109 CET	192.168.2.4	1.1.1.1	0xee3	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:15.825400114 CET	192.168.2.4	1.1.1.1	0xbe2c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:15.841248989 CET	192.168.2.4	1.1.1.1	0xbf96	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:18.127455950 CET	192.168.2.4	1.1.1.1	0xadcb	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:18.157572985 CET	192.168.2.4	1.1.1.1	0x33c6	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:18.166503906 CET	192.168.2.4	1.1.1.1	0x366	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:22.466077089 CET	192.168.2.4	1.1.1.1	0xea00	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:24.137820005 CET	192.168.2.4	1.1.1.1	0x6408	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:28.510787964 CET	192.168.2.4	1.1.1.1	0xc15f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.511070967 CET	192.168.2.4	1.1.1.1	0x48d9	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.837523937 CET	192.168.2.4	1.1.1.1	0x2282	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.965200901 CET	192.168.2.4	1.1.1.1	0xed56	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.965873003 CET	192.168.2.4	1.1.1.1	0x34b7	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.966013908 CET	192.168.2.4	1.1.1.1	0x9569	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973612070 CET	192.168.2.4	1.1.1.1	0x51f2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:28.974211931 CET	192.168.2.4	1.1.1.1	0x35b7	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 28, 2024 21:00:28.974325895 CET	192.168.2.4	1.1.1.1	0x24a7	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:28.981833935 CET	192.168.2.4	1.1.1.1	0xf65b	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.982635021 CET	192.168.2.4	1.1.1.1	0x4087	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.990935087 CET	192.168.2.4	1.1.1.1	0x4801	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.993273973 CET	192.168.2.4	1.1.1.1	0xfe27	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.999187946 CET	192.168.2.4	1.1.1.1	0x5bee	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:29.002259016 CET	192.168.2.4	1.1.1.1	0x83e6	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:32.565396070 CET	192.168.2.4	1.1.1.1	0x5217	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 28, 2024 21:00:34.217818022 CET	192.168.2.4	1.1.1.1	0x745a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:34.230612040 CET	192.168.2.4	1.1.1.1	0xfa90	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:34.868068933 CET	192.168.2.4	1.1.1.1	0xd52b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:34.876859903 CET	192.168.2.4	1.1.1.1	0x7e29	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:34.885538101 CET	192.168.2.4	1.1.1.1	0x10b3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:34.991808891 CET	192.168.2.4	1.1.1.1	0x65a6	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:34.992024899 CET	192.168.2.4	1.1.1.1	0x8af0	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.605842113 CET	192.168.2.4	1.1.1.1	0xe650	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.623471022 CET	192.168.2.4	1.1.1.1	0xeb53	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 21:00:36.625971079 CET	192.168.2.4	1.1.1.1	0xfb7e	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.637126923 CET	192.168.2.4	1.1.1.1	0x9552	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.653711081 CET	192.168.2.4	1.1.1.1	0x2507	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 28, 2024 21:00:36.669820070 CET	192.168.2.4	1.1.1.1	0x9524	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.689326048 CET	192.168.2.4	1.1.1.1	0xe6df	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.702353001 CET	192.168.2.4	1.1.1.1	0x6d92	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 21:00:55.077950001 CET	192.168.2.4	1.1.1.1	0x1f10	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:55.086966038 CET	192.168.2.4	1.1.1.1	0xe545	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 21:01:06.648869038 CET	192.168.2.4	1.1.1.1	0xa391	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:01:06.660067081 CET	192.168.2.4	1.1.1.1	0x86bc	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 21:01:07.275705099 CET	192.168.2.4	1.1.1.1	0x142d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:01:35.738573074 CET	192.168.2.4	1.1.1.1	0xc89f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 21:00:08.677114964 CET	1.1.1.1	192.168.2.4	0x2ea7	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:08.695658922 CET	1.1.1.1	192.168.2.4	0x835b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.007678986 CET	1.1.1.1	192.168.2.4	0xa0a5	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.008730888 CET	1.1.1.1	192.168.2.4	0x2a72	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:11.008730888 CET	1.1.1.1	192.168.2.4	0x2a72	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.020675898 CET	1.1.1.1	192.168.2.4	0xceef	No error (0)	youtube.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.020694017 CET	1.1.1.1	192.168.2.4	0x1991	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.032026052 CET	1.1.1.1	192.168.2.4	0x5d9f	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 28, 2024 21:00:11.033289909 CET	1.1.1.1	192.168.2.4	0xfb92	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 21:00:11.075445890 CET	1.1.1.1	192.168.2.4	0x5320	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.087589979 CET	1.1.1.1	192.168.2.4	0xb264	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.088934898 CET	1.1.1.1	192.168.2.4	0x9394	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:11.088934898 CET	1.1.1.1	192.168.2.4	0x9394	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.106452942 CET	1.1.1.1	192.168.2.4	0xd44	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.130784035 CET	1.1.1.1	192.168.2.4	0x429f	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:11.130784035 CET	1.1.1.1	192.168.2.4	0x429f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.171535969 CET	1.1.1.1	192.168.2.4	0xeeb3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.870294094 CET	1.1.1.1	192.168.2.4	0xf04a	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:11.870294094 CET	1.1.1.1	192.168.2.4	0xf04a	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:11.870294094 CET	1.1.1.1	192.168.2.4	0xf04a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.871021032 CET	1.1.1.1	192.168.2.4	0x88e5	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.875922918 CET	1.1.1.1	192.168.2.4	0x7a7b	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.875922918 CET	1.1.1.1	192.168.2.4	0x7a7b	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.902163982 CET	1.1.1.1	192.168.2.4	0x4a04	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:11.934216022 CET	1.1.1.1	192.168.2.4	0xa07b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:11.947422028 CET	1.1.1.1	192.168.2.4	0xbe52	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 21:00:11.980997086 CET	1.1.1.1	192.168.2.4	0xc1c8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:11.980997086 CET	1.1.1.1	192.168.2.4	0xc1c8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:12.482094049 CET	1.1.1.1	192.168.2.4	0xc909	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:12.502532005 CET	1.1.1.1	192.168.2.4	0x37b1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:12.645494938 CET	1.1.1.1	192.168.2.4	0x5d6d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:12.654541016 CET	1.1.1.1	192.168.2.4	0xda8c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:14.065057993 CET	1.1.1.1	192.168.2.4	0x1949	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:15.796627998 CET	1.1.1.1	192.168.2.4	0xf45f	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:15.796627998 CET	1.1.1.1	192.168.2.4	0xf45f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:15.807800055 CET	1.1.1.1	192.168.2.4	0xee3	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:15.807800055 CET	1.1.1.1	192.168.2.4	0xee3	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:15.835969925 CET	1.1.1.1	192.168.2.4	0xbe2c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:18.138936043 CET	1.1.1.1	192.168.2.4	0xadcb	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:18.138936043 CET	1.1.1.1	192.168.2.4	0xadcb	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:18.138936043 CET	1.1.1.1	192.168.2.4	0xadcb	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:18.165824890 CET	1.1.1.1	192.168.2.4	0x33c6	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964320898 CET	1.1.1.1	192.168.2.4	0xc15f	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964663029 CET	1.1.1.1	192.168.2.4	0x2282	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:28.964663029 CET	1.1.1.1	192.168.2.4	0x2282	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.965184927 CET	1.1.1.1	192.168.2.4	0x48d9	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:28.965184927 CET	1.1.1.1	192.168.2.4	0x48d9	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973140001 CET	1.1.1.1	192.168.2.4	0xed56	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973706007 CET	1.1.1.1	192.168.2.4	0x34b7	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.973738909 CET	1.1.1.1	192.168.2.4	0x9569	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.981296062 CET	1.1.1.1	192.168.2.4	0x51f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 21:00:28.981296062 CET	1.1.1.1	192.168.2.4	0x51f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 21:00:28.981296062 CET	1.1.1.1	192.168.2.4	0x51f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 21:00:28.981296062 CET	1.1.1.1	192.168.2.4	0x51f2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 21:00:28.982165098 CET	1.1.1.1	192.168.2.4	0x24a7	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 28, 2024 21:00:28.982944965 CET	1.1.1.1	192.168.2.4	0x35b7	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 28, 2024 21:00:28.990464926 CET	1.1.1.1	192.168.2.4	0x4087	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.992805004 CET	1.1.1.1	192.168.2.4	0xf65b	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:28.992805004 CET	1.1.1.1	192.168.2.4	0xf65b	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.992805004 CET	1.1.1.1	192.168.2.4	0xf65b	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.992805004 CET	1.1.1.1	192.168.2.4	0xf65b	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.992805004 CET	1.1.1.1	192.168.2.4	0xf65b	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:28.998729944 CET	1.1.1.1	192.168.2.4	0x4801	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:29.001852989 CET	1.1.1.1	192.168.2.4	0xfe27	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:29.001852989 CET	1.1.1.1	192.168.2.4	0xfe27	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:29.001852989 CET	1.1.1.1	192.168.2.4	0xfe27	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:29.001852989 CET	1.1.1.1	192.168.2.4	0xfe27	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:32.763559103 CET	1.1.1.1	192.168.2.4	0x5217	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 28, 2024 21:00:34.225541115 CET	1.1.1.1	192.168.2.4	0x745a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:34.875674963 CET	1.1.1.1	192.168.2.4	0xd52b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:34.875674963 CET	1.1.1.1	192.168.2.4	0xd52b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:34.884995937 CET	1.1.1.1	192.168.2.4	0x7e29	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:34.893827915 CET	1.1.1.1	192.168.2.4	0x10b3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 21:00:35.000338078 CET	1.1.1.1	192.168.2.4	0x8af0	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:35.000338078 CET	1.1.1.1	192.168.2.4	0x8af0	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:35.000556946 CET	1.1.1.1	192.168.2.4	0x65a6	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.603120089 CET	1.1.1.1	192.168.2.4	0x54d5	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:36.603120089 CET	1.1.1.1	192.168.2.4	0x54d5	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.613781929 CET	1.1.1.1	192.168.2.4	0xe650	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.635251045 CET	1.1.1.1	192.168.2.4	0xfb7e	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.635251045 CET	1.1.1.1	192.168.2.4	0xfb7e	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.635251045 CET	1.1.1.1	192.168.2.4	0xfb7e	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.635251045 CET	1.1.1.1	192.168.2.4	0xfb7e	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.644912004 CET	1.1.1.1	192.168.2.4	0x9552	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.644912004 CET	1.1.1.1	192.168.2.4	0x9552	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.644912004 CET	1.1.1.1	192.168.2.4	0x9552	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.644912004 CET	1.1.1.1	192.168.2.4	0x9552	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.678445101 CET	1.1.1.1	192.168.2.4	0x9524	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:36.678445101 CET	1.1.1.1	192.168.2.4	0x9524	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:36.697935104 CET	1.1.1.1	192.168.2.4	0xe6df	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:00:37.910634995 CET	1.1.1.1	192.168.2.4	0x3f5e	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:37.910634995 CET	1.1.1.1	192.168.2.4	0x3f5e	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:00:55.085668087 CET	1.1.1.1	192.168.2.4	0x1f10	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:01:06.634284019 CET	1.1.1.1	192.168.2.4	0x4123	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:01:06.657708883 CET	1.1.1.1	192.168.2.4	0xa391	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 21:01:07.283658981 CET	1.1.1.1	192.168.2.4	0x142d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 21:01:07.283658981 CET	1.1.1.1	192.168.2.4	0x142d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	34.107.221.82	80	6984	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 21:00:11.022773981 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:11.617585897 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19225 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49750	34.107.221.82	80	6984	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 21:00:12.207896948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:12.771302938 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25587 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:13.813744068 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:13.949985981 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25588 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:14.388286114 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:14.640355110 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:14.949896097 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:15.305699110 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25590 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:22.404860973 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:22.532368898 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25597 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:24.133574963 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:24.260994911 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25599 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:24.534051895 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:24.661150932 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25599 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:26.368319035 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:26.495024920 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25601 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:27.207545996 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:27.335445881 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25602 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:27.962234020 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:28.196728945 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:28.497575045 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:29.083442926 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25604 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:34.994404078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:35.121328115 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25610 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:37.389255047 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:37.515929937 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25612 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:38.024229050 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:38.151191950 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25613 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:48.155009031 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:00:50.780792952 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:50.907474995 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25625 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:00:55.853153944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:00:55.980133057 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25630 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:01:05.988285065 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:01:07.406214952 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:01:07.534449100 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25642 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:01:17.538690090 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:01:27.552719116 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:01:36.515897989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 21:01:36.643332005 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 25671 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 21:01:46.646981001 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:01:56.653743029 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:02:06.669354916 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	6984	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 21:00:12.208009005 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:12.756442070 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19226 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:13.862571955 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:13.987694979 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19227 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:15.777560949 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:15.902628899 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19229 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:22.458262920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:22.582063913 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19236 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:24.206367970 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:24.333424091 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19238 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:26.140357971 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:26.264163017 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19240 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:27.003950119 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:27.127898932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19241 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:27.746474028 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:27.869966984 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19241 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:28.960915089 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19241 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:28.961237907 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19241 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:28.961613894 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19241 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:34.865911961 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:34.990310907 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19248 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:37.262455940 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:37.386434078 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19251 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:37.897820950 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:38.021152973 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19251 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:48.032567978 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:00:50.653430939 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:50.777251005 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19264 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:00:55.724853992 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:00:55.849498034 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19269 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:01:05.856847048 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:01:07.275310040 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:01:07.399502039 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19281 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:01:17.407155037 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:01:27.421309948 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:01:36.387936115 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 21:01:36.512089968 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 19310 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 21:01:46.524524927 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:01:56.537885904 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 21:02:06.553539991 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	16:00:01
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc10000
File size:	919'552 bytes
MD5 hash:	BD756B5E87774E23366CC2A0B637F7CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:00:01
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:00:01
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:00:03
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:00:03
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:00:03
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:00:03
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:00:03
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:00:03
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:00:04
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:00:04
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:00:04
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:00:04
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:00:04
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	16:00:05
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20230927232528 -prefsHandle 2268 -prefMapHandle 2260 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc2ff3ef-cc57-48e7-a7a8-8dced6d726ef} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dafd6e310 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	16:00:07
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {570f6398-fd13-4265-a0df-63c077bef302} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dc1106510 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	16:00:14
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5224 -prefMapHandle 5212 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22cca10f-bded-465d-9862-a33ac2af1a53} 6984 "\\.\pipe\gecko-crash-server-pipe.6984" 25dcbafb110 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	16:00:18
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1537
Total number of Limit Nodes:	54

Executed Functions

Function 00C142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C1430D

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

GetCurrentProcess.KERNEL32(?,00CACB64,00000000,?,?), ref: 00C14422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C14429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C14454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C14466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C14474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C1447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C144A0

Strings

kernel32.dll, xrefs: 00C1444F
|O, xrefs: 00C536F8
GetNativeSystemInfo, xrefs: 00C14460

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9054fbac982b842a12c3b1c6c8d7eca24878a2d8242a3588b87d5245ace48925
Instruction ID: 00ec2336ef1c543ad38023a5fa6d034a1c7892a599ea07c86de51bba0ab7d87e
Opcode Fuzzy Hash: 9054fbac982b842a12c3b1c6c8d7eca24878a2d8242a3588b87d5245ace48925
Instruction Fuzzy Hash: 14A1AF7A91A2C0CFC715C76978C07DD7FE46B27740B0C4899EC919BA32D2304AA8EB35

Function 00C142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C150AA,?,?,00000000,00000000), ref: 00C142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C150AA,?,?,00000000,00000000), ref: 00C142C9
LoadResource.KERNEL32(?,00000000,?,?,00C150AA,?,?,00000000,00000000,?,?,?,?,?,?,00C14F20), ref: 00C535BE
SizeofResource.KERNEL32(?,00000000,?,?,00C150AA,?,?,00000000,00000000,?,?,?,?,?,?,00C14F20), ref: 00C535D3
LockResource.KERNEL32(00C150AA,?,?,00C150AA,?,?,00000000,00000000,?,?,?,?,?,?,00C14F20,?), ref: 00C535E6

Strings

SCRIPT, xrefs: 00C142BF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a81b450935b30b3287b089d41ece0d4693275a3ad6d6da2d72b8b11fd69739a2
Instruction ID: 4c0e2933427ecad6c5d3e03e0c0412d0cbe54eecea7ad962aab9cb8bd1a80479
Opcode Fuzzy Hash: a81b450935b30b3287b089d41ece0d4693275a3ad6d6da2d72b8b11fd69739a2
Instruction Fuzzy Hash: 9C118E74200701BFD7258B65DC88F6B7BBAEBC6B55F104269F412D7290DB71DD809630

Function 00C52BA5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C12B6B

Part of subcall function 00C13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF, w,?,00C12E7F,?,?,?,00000000), ref: 00C13A78

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00CD2224), ref: 00C52C10
ShellExecuteW.SHELL32(00000000,?,?,00CD2224), ref: 00C52C17

Strings

runas, xrefs: 00C52C0B
w, xrefs: 00C52BD9

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: w$runas
API String ID: 448630720-3860348128
Opcode ID: a70749460ac25788f82ccf12ef863fbe4cfed4324aa837194498366e0d822a6e
Instruction ID: 043c371ec30d91d6f84e777cb1e76fb961f4dc176c549995510bac20d38490db
Opcode Fuzzy Hash: a70749460ac25788f82ccf12ef863fbe4cfed4324aa837194498366e0d822a6e
Instruction Fuzzy Hash: D611D2312083819BC714FF60D8A1AFE77A49B93314F48142EB593061A2CF308ADAB752

Function 00C7D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C7D501
Process32FirstW.KERNEL32(00000000,?), ref: 00C7D50F
Process32NextW.KERNEL32(00000000,?), ref: 00C7D52F
CloseHandle.KERNELBASE(00000000), ref: 00C7D5DC

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 884e07e3f9e233761377bd1502fcba5992fe7b7ebe155c8b7fe03bf93b268b6e
Instruction ID: 52d1ebe0b54dfb3044c0dd0acd2311c227f65100d6b94fa61d51e5d6488be01f
Opcode Fuzzy Hash: 884e07e3f9e233761377bd1502fcba5992fe7b7ebe155c8b7fe03bf93b268b6e
Instruction Fuzzy Hash: EB31C2711083009FD300EF54C891BAFBBF8EF9A354F10492DF596831A1EB719A85DB92

Function 00C7DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00C55222), ref: 00C7DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00C7DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00C7DBEE
FindClose.KERNEL32(00000000), ref: 00C7DBFA

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 09936a12f3b828499f5ad5561e9a90abf904e6ea74b02d1446beaba855f16bad
Instruction ID: e0794c964b10a23d153e378ba6399be198a66a8eee4deb213e2b266c6d930c75
Opcode Fuzzy Hash: 09936a12f3b828499f5ad5561e9a90abf904e6ea74b02d1446beaba855f16bad
Instruction Fuzzy Hash: 43F0A9308109106783216B78AC4DAAE37BC9F02338F108702F83BC20F0EBB09E948696

Function 00C34CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C428E9,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002,00000000,?,00C428E9), ref: 00C34D09
TerminateProcess.KERNEL32(00000000,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002,00000000,?,00C428E9), ref: 00C34D10
ExitProcess.KERNEL32 ref: 00C34D22

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e75662ccd4da236ffea0e86434a227be8e05ef92e74809bf54268809dfef3741
Instruction ID: 429575f8c5f58df28a44c2bd8217250b843c43b2bb9ab45a6a6a540bd2adab8f
Opcode Fuzzy Hash: e75662ccd4da236ffea0e86434a227be8e05ef92e74809bf54268809dfef3741
Instruction Fuzzy Hash: 20E0B631011148ABCF15AF54DD49B9D3B79FB42795F104014FD159B132CB39EE42DA80

Function 00C1BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

pE, xrefs: 00C607CE

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: pE
API String ID: 3964851224-3876148486
Opcode ID: 612e23e3097a153fb560868d44bec403fe8178930f19763043f5d9eb9f581644
Instruction ID: 51c61f211c2be6d2872c97ab8f75d3df905e7991ca46e4a7e198691828daee8b
Opcode Fuzzy Hash: 612e23e3097a153fb560868d44bec403fe8178930f19763043f5d9eb9f581644
Instruction Fuzzy Hash: 30A249706083418FD724DF19C4C0B6AB7E1BF8A304F24896DF89A9B352D771E985DB92

Function 00C9AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00C9B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B1D4
_wcslen.LIBCMT ref: 00C9B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B236
_wcslen.LIBCMT ref: 00C9B332

Part of subcall function 00C805A7: GetStdHandle.KERNEL32(000000F6), ref: 00C805C6

_wcslen.LIBCMT ref: 00C9B34B
_wcslen.LIBCMT ref: 00C9B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9B3B6
GetLastError.KERNEL32(00000000), ref: 00C9B407
CloseHandle.KERNEL32(?), ref: 00C9B439
CloseHandle.KERNEL32(00000000), ref: 00C9B44A
CloseHandle.KERNEL32(00000000), ref: 00C9B45C
CloseHandle.KERNEL32(00000000), ref: 00C9B46E
CloseHandle.KERNEL32(?), ref: 00C9B4E3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f3b7e162ad50a554a9355a315806f83af4245752ed1eecb1580b5ca245bb4757
Instruction ID: b5a8aa7ba803b0b4d8a8e503a6206523dae2da3d936dcf593ce183da7a799fde
Opcode Fuzzy Hash: f3b7e162ad50a554a9355a315806f83af4245752ed1eecb1580b5ca245bb4757
Instruction Fuzzy Hash: 73F1CC31608300AFCB14EF24D995B6EBBE1BF86314F14855DF8998B2A2DB30ED45DB52

Function 00C1D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C1D807
timeGetTime.WINMM ref: 00C1DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C1DB28
TranslateMessage.USER32(?), ref: 00C1DB7B
DispatchMessageW.USER32(?), ref: 00C1DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C1DB9F
Sleep.KERNELBASE(0000000A), ref: 00C1DBB1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 25e6bc85e33c5387efecb5b07527a0766032629d6f35b39f190208645c13bb65
Instruction ID: 90e365294742a14d75217ce096e4bc14b5023af810bcd387cbabac1582fb299d
Opcode Fuzzy Hash: 25e6bc85e33c5387efecb5b07527a0766032629d6f35b39f190208645c13bb65
Instruction Fuzzy Hash: B842D130608741EFD738CF25C894BAAB7E0BF86314F18455DE8668B291D774E984EB92

Function 00C1344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF, w,?,00C12E7F,?,?,?,00000000), ref: 00C13A78

Part of subcall function 00C13357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C13379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C1356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C5318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C531CE
RegCloseKey.ADVAPI32(?), ref: 00C53210
_wcslen.LIBCMT ref: 00C53277
_wcslen.LIBCMT ref: 00C53286

Strings

@k, xrefs: 00C1349D
\, xrefs: 00C5328C
\Include\, xrefs: 00C13527
Include, xrefs: 00C53184, 00C531C5
Software\AutoIt v3\AutoIt, xrefs: 00C13560

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: @k$Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2097308359
Opcode ID: 35ac55827660db68a10239d8b57a05664e57e2325d332b6a6e72b02aa90729a5
Instruction ID: 8687072356afe90e85c7c45855d5cd7d6f0c682baf913dfb78799dff174b804e
Opcode Fuzzy Hash: 35ac55827660db68a10239d8b57a05664e57e2325d332b6a6e72b02aa90729a5
Instruction Fuzzy Hash: 297148714043819AC314DF65EC82BAFBBECBB86744F40042EF555861B1EB749A89AB62

Function 00C12CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C12D07
RegisterClassExW.USER32(00000030), ref: 00C12D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C12D42
InitCommonControlsEx.COMCTL32(?), ref: 00C12D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C12D6F
LoadIconW.USER32(000000A9), ref: 00C12D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C12D94

Strings

AutoIt v3 GUI, xrefs: 00C12D23
TaskbarCreated, xrefs: 00C12D37
0, xrefs: 00C12CE9
+, xrefs: 00C12CF0

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 36a716933413980eb2cb5f4cf1b4d77d3d1495a68966a44cfb71b26ed5d91faf
Instruction ID: 1c7d4c877c04d4dfb3d4564492cf2e7cd79d5ae21b4bb76a43912dfe3b0da3b6
Opcode Fuzzy Hash: 36a716933413980eb2cb5f4cf1b4d77d3d1495a68966a44cfb71b26ed5d91faf
Instruction Fuzzy Hash: CA21C0B5901258AFDB00DFA4E889BEDBBB4FB09704F04811AF911AB2A0D7B54594CFA1

Function 00C5065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C5039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C50704,?,?,00000000,?,00C50704,00000000,0000000C), ref: 00C503B7

GetLastError.KERNEL32 ref: 00C5076F
__dosmaperr.LIBCMT ref: 00C50776
GetFileType.KERNELBASE(00000000), ref: 00C50782
GetLastError.KERNEL32 ref: 00C5078C
__dosmaperr.LIBCMT ref: 00C50795
CloseHandle.KERNEL32(00000000), ref: 00C507B5
CloseHandle.KERNEL32(?), ref: 00C508FF
GetLastError.KERNEL32 ref: 00C50931
__dosmaperr.LIBCMT ref: 00C50938

Strings

H, xrefs: 00C508BD

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 35a7adf53de6d4f703e6893153b5827e42c5896310c07152b4f0b1f9018ea977
Instruction ID: 30d99db9e7d8987fb7ddf2dd052cac0213afdccb5a6eb3ea9ddab646c7530014
Opcode Fuzzy Hash: 35a7adf53de6d4f703e6893153b5827e42c5896310c07152b4f0b1f9018ea977
Instruction Fuzzy Hash: 9EA12636A101448FDF19AF68D891BAE3BA0AB06321F24015DFC21DF2E2DB319957DB95

Function 00C12B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C12B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C12B9D
LoadIconW.USER32(00000063), ref: 00C12BB3
LoadIconW.USER32(000000A4), ref: 00C12BC5
LoadIconW.USER32(000000A2), ref: 00C12BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C12BEF
RegisterClassExW.USER32(?), ref: 00C12C40

Part of subcall function 00C12CD4: GetSysColorBrush.USER32(0000000F), ref: 00C12D07
Part of subcall function 00C12CD4: RegisterClassExW.USER32(00000030), ref: 00C12D31
Part of subcall function 00C12CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C12D42
Part of subcall function 00C12CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C12D5F
Part of subcall function 00C12CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C12D6F
Part of subcall function 00C12CD4: LoadIconW.USER32(000000A9), ref: 00C12D85
Part of subcall function 00C12CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C12D94

Strings

#, xrefs: 00C12C16
0, xrefs: 00C12C0F
AutoIt v3, xrefs: 00C12C2F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1e8d95ca539a424fa21e4a85b22152be31a50f8e700745a489dc7f95bbc2b61a
Instruction ID: 19a7c52f90b5c3769f736ce362bbd25ec9bb12484476cf9ad94fbf5ac86883ab
Opcode Fuzzy Hash: 1e8d95ca539a424fa21e4a85b22152be31a50f8e700745a489dc7f95bbc2b61a
Instruction Fuzzy Hash: 87210974E00358ABDB109FA5ECD5BAD7FB4FB49B54F08001AEA00AB6B0D7B115A0DF90

Function 00C13170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C1316A,?,?), ref: 00C131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C1316A,?,?), ref: 00C13204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C13227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C1316A,?,?), ref: 00C13232
CreatePopupMenu.USER32 ref: 00C13246
PostQuitMessage.USER32(00000000), ref: 00C13267

Strings

TaskbarCreated, xrefs: 00C1322D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f35fc72eb2e85817302ae84d4f73f6eee694d104f5283e7ac98b0ce6f50a2b03
Instruction ID: d46796c791ab758441ec2adf3e18bdbcba7e6592128a4572dddf4386568b1ef1
Opcode Fuzzy Hash: f35fc72eb2e85817302ae84d4f73f6eee694d104f5283e7ac98b0ce6f50a2b03
Instruction Fuzzy Hash: 6B4104353402C4ABDF156B789D8EBFD3A59E707348F180125FD229A1A2CB718BD0B7A5

Function 00C11410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C11459
CoUninitialize.COMBASE ref: 00C114F8
UnregisterHotKey.USER32(?), ref: 00C116DD
DestroyWindow.USER32(?), ref: 00C524B9
FreeLibrary.KERNEL32(?), ref: 00C5251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C5254B

Strings

close all, xrefs: 00C11454

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 109e96fa36c688e2dc0a38d01b783503218639478451ae57587f4170c0a75770
Instruction ID: 7da344b8c766a0c4f43d7b9cc40758fc99ecfffd87bdd6359f57f2b3721dff44
Opcode Fuzzy Hash: 109e96fa36c688e2dc0a38d01b783503218639478451ae57587f4170c0a75770
Instruction Fuzzy Hash: 74D1BC35701222CFCB19EF15C495B69F7A0BF06700F1842ADE94A6B252DB30ED96EF54

Function 00C12C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C12C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C12CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C11CAD,?), ref: 00C12CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C11CAD,?), ref: 00C12CCF

Strings

edit, xrefs: 00C12CAC
AutoIt v3, xrefs: 00C12C89, 00C12C8E, 00C12C8F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 04508420b977fb657a491599c7604e435da302b71b7bc093500f792bc9eb9996
Instruction ID: cc0d41caf27f697318ed4449e5c5936f409a6610955256f16a3eda67aebd9d68
Opcode Fuzzy Hash: 04508420b977fb657a491599c7604e435da302b71b7bc093500f792bc9eb9996
Instruction Fuzzy Hash: 32F0DA755402D47AEB311B27AC88F7B2EBDD7C7F54B04005AFD00AB5B0C6755861DAB0

Function 00C42DF8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00C3F2DE,00C43863,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6), ref: 00C42DFD
_free.LIBCMT ref: 00C42E32
_free.LIBCMT ref: 00C42E59
SetLastError.KERNEL32(00000000,00C11129), ref: 00C42E66
SetLastError.KERNEL32(00000000,00C11129), ref: 00C42E6F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4d60c5dfc7d32a5ba2b86e18b5c46891311a7a16efd9d9af3dd0be37fd8ddee2
Instruction ID: adda5209417a560a065c70c62d2a5d01e01a3adf73e292cc56b86b5f37624545
Opcode Fuzzy Hash: 4d60c5dfc7d32a5ba2b86e18b5c46891311a7a16efd9d9af3dd0be37fd8ddee2
Instruction Fuzzy Hash: FA01F43260660167CA1267366C87F6F2669BBD23A6BE40029F431E32A3EF74CD01A120

Function 00C110F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C11BF4
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C11BFC
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C11C07
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C11C12
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C11C1A
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C11C22

Part of subcall function 00C11B4A: RegisterWindowMessageW.USER32(00000004,?,00C112C4), ref: 00C11BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C1136A
OleInitialize.OLE32 ref: 00C11388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C524AB

Strings

pW, xrefs: 00C11292

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: pW
API String ID: 1986988660-488229394
Opcode ID: e69526323ca1a840daf37ab2cec5952b86b2b37b4ee241b40e7c9140ac5ec962
Instruction ID: fc474dc0ef742d7fb5baeb16b23db9011aaea6c49752990738dbd2d1299ed5d2
Opcode Fuzzy Hash: e69526323ca1a840daf37ab2cec5952b86b2b37b4ee241b40e7c9140ac5ec962
Instruction Fuzzy Hash: 8271BEB49023C08EC794DF7AA8C579D3AE4FB8935475D812ADC1ACB3A1EB3444A1DF41

Function 00C13923 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C533A2

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C13A04

Strings

hw, xrefs: 00C13986, 00C533C9
Line: , xrefs: 00C533EB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line: $hw
API String ID: 2289894680-2652241211
Opcode ID: 4ae36c568394b21af86eb69db4fb393cd0ff9f93b1b484daf6742db61dd5d0ce
Instruction ID: 202999eec10112e3722dd0046e4c040657baebdadd9527c5fb9dc0e535ad1169
Opcode Fuzzy Hash: 4ae36c568394b21af86eb69db4fb393cd0ff9f93b1b484daf6742db61dd5d0ce
Instruction Fuzzy Hash: D931F471408380AAC321EB20DC45BEFB7D8AF46714F04052AF9A9930A1DB709799E7C2

Function 00C13B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C13B0F,SwapMouseButtons,00000004,?), ref: 00C13B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C13B0F,SwapMouseButtons,00000004,?), ref: 00C13B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C13B0F,SwapMouseButtons,00000004,?), ref: 00C13B83

Strings

Control Panel\Mouse, xrefs: 00C13B3E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4428a9c7172f713559f41ab369e4d79d6479e0a584d309a084dbf5b453deedfe
Instruction ID: e54e318c08de62905dd884eedb3853afc9dd9e293f29e7bae4cf01f05654693b
Opcode Fuzzy Hash: 4428a9c7172f713559f41ab369e4d79d6479e0a584d309a084dbf5b453deedfe
Instruction Fuzzy Hash: C6112AB5514248FFDB208FA5DC84AEFB7B8EF06748B104459A805D7110E2319F80A760

Function 00C2FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C30668

Part of subcall function 00C332A4: RaiseException.KERNEL32(?,?,?,00C3068A,?,00CE1444,?,?,?,?,?,?,00C3068A,00C11129,00CD8738,00C11129), ref: 00C33304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C30685

Strings

Unknown exception, xrefs: 00C30692

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5ed8df610876abc6b0d93e91ad0d67513a478aafd682c3e32fac9d4910807970
Instruction ID: f9ad7160a77ac0d975ef6911af2f38b09e0c2e160a441f63e1f4e2a7f52f226c
Opcode Fuzzy Hash: 5ed8df610876abc6b0d93e91ad0d67513a478aafd682c3e32fac9d4910807970
Instruction Fuzzy Hash: 0EF0CD3591020DB7CB00BAA9E856C9E7B7C9E00310F704536B924D6996EF71EB6ADA90

Function 00C7C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C13923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C13A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C7C259
KillTimer.USER32(?,00000001,?,?), ref: 00C7C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C7C270

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 03f207d1c40320cc032f36a4367a0fba689fe13d2f4a7f3a4cce07cc568e8add
Instruction ID: 130ca4195e3b9d4ab25ee6042d334c64b3cedd9f1744e470f6f733bb32a7c1eb
Opcode Fuzzy Hash: 03f207d1c40320cc032f36a4367a0fba689fe13d2f4a7f3a4cce07cc568e8add
Instruction Fuzzy Hash: 66318170904344AFEB229B64D8D5BEABBEC9B06308F04449ED6AEA7242C7745A84CB51

Function 00C486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C485CC,?,00CD8CC8,0000000C), ref: 00C48704
GetLastError.KERNEL32(?,00C485CC,?,00CD8CC8,0000000C), ref: 00C4870E
__dosmaperr.LIBCMT ref: 00C48739

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 375b93e25a6b703c2776738894e5e3dcee0c766c239baaf777e0eb4359ef7af4
Instruction ID: b26e2f88c076a3347e4d52ad880a107502cb51cd85bd1981d4b343f0c81cb6ef
Opcode Fuzzy Hash: 375b93e25a6b703c2776738894e5e3dcee0c766c239baaf777e0eb4359ef7af4
Instruction Fuzzy Hash: 9C016D33A0566027D6A56734A885BFE77497B82B78F3A011DFC288F1E3DEB1CD859190

Function 00C1DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C1DB7B
DispatchMessageW.USER32(?), ref: 00C1DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C1DB9F
Sleep.KERNELBASE(0000000A), ref: 00C1DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00C61CC9

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 44d9869c4fb0ad9b4b55bcf2622a5a8deb523a8afeb63d1d5a13b601446c28af
Instruction ID: 8ee26ac1fdd201ab73cb39d24733c9e22707c9b67f6f58a564d95cb1fff721e6
Opcode Fuzzy Hash: 44d9869c4fb0ad9b4b55bcf2622a5a8deb523a8afeb63d1d5a13b601446c28af
Instruction Fuzzy Hash: 93F03A306443809BEB308B608C89FEE73A8AB86311F144518EA1AC30C0DB30A588AB25

Function 00C21310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C217F6

Strings

CALL, xrefs: 00C217C6

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 00352594f8bcff1f4355eead3357d98d1cbbd7ddaf26c5e5e7a4e4f83984a938
Instruction ID: 6d7006eb2a0b5f8b9113805a3ad949e9ec53b76c2c948e55d1779e5e2f368381
Opcode Fuzzy Hash: 00352594f8bcff1f4355eead3357d98d1cbbd7ddaf26c5e5e7a4e4f83984a938
Instruction Fuzzy Hash: 6822CB706083519FC724DF15D480B2ABBF1BF95314F28896DF89A8B7A2D731E941DB82

Function 00C14ECB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C14E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C14EDD,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E9C
Part of subcall function 00C14E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C14EAE
Part of subcall function 00C14E90: FreeLibrary.KERNEL32(00000000,?,?,00C14EDD,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14EFD

Part of subcall function 00C14E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C53CDE,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E62
Part of subcall function 00C14E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C14E74
Part of subcall function 00C14E59: FreeLibrary.KERNEL32(00000000,?,?,00C53CDE,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E87

Strings

w, xrefs: 00C14ED1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID: w
API String ID: 2632591731-2235083495
Opcode ID: 9d61baab3f7f2ed2ee4a07f0540508bd6b50f2519abf4072cc600783daa51e3f
Instruction ID: e50388d7b155e8791df8578f142b65119f68828a21222c94b3802273f8f76944
Opcode Fuzzy Hash: 9d61baab3f7f2ed2ee4a07f0540508bd6b50f2519abf4072cc600783daa51e3f
Instruction Fuzzy Hash: 0911E732610205ABCF18BBA4DC02FED77A59F82711F20842DF552AA2C1DE719A85F750

Function 00C12DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C52C8C

Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2

Part of subcall function 00C12DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C12DC4

Strings

X, xrefs: 00C52C5A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 112ee4e29090af4ae7f986d891caa523b0dfc204c57f7261f92e2a804478a6b8
Instruction ID: 7f55a86e3104a6232dceb9939514fc045fb130b1c26d3795573e90d29bace94b
Opcode Fuzzy Hash: 112ee4e29090af4ae7f986d891caa523b0dfc204c57f7261f92e2a804478a6b8
Instruction Fuzzy Hash: 6421C670A002989BDF41DF94C8457EE7BF89F4A305F00405AE505A7341DBB45689EF61

Function 00C13837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C13908

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c22f807251d8e2a25891ed5f7d9e36d08f4112c7ecb7fa61f19ac793e2c08f6e
Instruction ID: 25d87affa4e93d937e67209b199a307d4bf01f4e4606dc42664de682d9d818f1
Opcode Fuzzy Hash: c22f807251d8e2a25891ed5f7d9e36d08f4112c7ecb7fa61f19ac793e2c08f6e
Instruction Fuzzy Hash: BE31E670504341CFE720DF24D8847DBBBE8FB4A718F04092EF99987290E771AA84DB52

Function 00C2F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C2F661

Part of subcall function 00C1D730: GetInputState.USER32 ref: 00C1D807

Sleep.KERNEL32(00000000), ref: 00C6F2DE

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 01b0ea275678443075e78e5c11c9af32265febc7d06f43cabe2581ad09f1c771
Instruction ID: b0e031e86ad4431ba98504f4ae0300223adfd9f4cb39ef23a68e1dd2deaa5141
Opcode Fuzzy Hash: 01b0ea275678443075e78e5c11c9af32265febc7d06f43cabe2581ad09f1c771
Instruction Fuzzy Hash: 67F08C312402159FD310EF69E489BAAB7E9EF46760F000029F85AC72A0EB70AC41DF90

Function 00C48402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C48440

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ef302413b9c89b815779d694f470e37c44befb35b915755b0bfaa517f4b186e9
Instruction ID: e4ee51ea8f577b13497d7c8538df9fa178488406d564013796df84fe08c676ad
Opcode Fuzzy Hash: ef302413b9c89b815779d694f470e37c44befb35b915755b0bfaa517f4b186e9
Instruction Fuzzy Hash: E911187590420AAFCB05DF58E941A9E7BF5FF48314F144059FC18AB312DA31DA15CBA5

Function 00C3E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: e4daa1e4997b67118895c72fbf7925137d7107ec55e65598de56941f08b96584
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 6AF0F432930A18D6D6313A6A9C06B9A33A8AF62335F100719F821921D2CB70D906A7A5

Function 00C44C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00C11129,00000000,?,00C42E29,00000001,00000364,?,?,?,00C3F2DE,00C43863,00CE1444,?,00C2FDF5,?), ref: 00C44CBE

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dac041c64f9ecdb049d72856b26171362e2b683e8575ce2583d614211ff70a6e
Instruction ID: 8840b629383fb421074363b0db30c803b1393e076dc14daa8d8f96fcb6c73c6e
Opcode Fuzzy Hash: dac041c64f9ecdb049d72856b26171362e2b683e8575ce2583d614211ff70a6e
Instruction Fuzzy Hash: 0CF0E93160222467DB295F66AC85B5F3788BF417A1F3C4115BC25AB190CA30D90156E0

Function 00C43820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 85c983a9527dfcf24be8770c592331207b472f57b958d932958a64eddcbec968
Instruction ID: ced4b39648fdbfd382e93790be35a42c87ee79a31115ecf0153b88ded9b92432
Opcode Fuzzy Hash: 85c983a9527dfcf24be8770c592331207b472f57b958d932958a64eddcbec968
Instruction Fuzzy Hash: 6CE022312002A4AAE7312AB79C00B9FF749BFC27B4F090023BC24964D0DB21EF0196F0

Function 00C14F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14F6D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c80adddd118dc1b783cbf1b1b9de7da262a051322131f519673ead2c08bad2aa
Instruction ID: 804b561c50bec8bd16c1895399c12b3c0bb7412db046869cf437cc266b45d9a6
Opcode Fuzzy Hash: c80adddd118dc1b783cbf1b1b9de7da262a051322131f519673ead2c08bad2aa
Instruction Fuzzy Hash: FBF0A070105301CFCB388FA1D490896B7F0EF02319310897EE1EA87610C7319885EF00

Function 00CA2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CA2A66

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 416a6dcab25c1bb98c53320a869fce18fce1fa97e52e378a2565051dcf02b34f
Instruction ID: d941e709da358e6852c524d3eef0fb7307b08f38ea9b9e875d3bccd6095bcd3f
Opcode Fuzzy Hash: 416a6dcab25c1bb98c53320a869fce18fce1fa97e52e378a2565051dcf02b34f
Instruction Fuzzy Hash: E7E04F36350126AEC754EA35DC80AFE735CEB51399B104536BC2AD2140DB309E95B6A0

Function 00C130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C1314E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 66fcccdb41c59ea66619ad396c4be33b5b2633f09f3db17dc5ecbe48e58e5733
Instruction ID: 4750504fba3220fde3fd9867b64687fe13fd3a6e1280c266c22544404a5c9c3a
Opcode Fuzzy Hash: 66fcccdb41c59ea66619ad396c4be33b5b2633f09f3db17dc5ecbe48e58e5733
Instruction Fuzzy Hash: 79F037709143549FEB52DB24DC857DD7BBCA70570CF0400E5A54897191D77457D8CF51

Function 00C12DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C12DC4

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0c6625b0c231b56218a6c8fd57c5693487d7bbc2f7dc14ffcd092ca3902fe1af
Instruction ID: 3d100ef68f3ca39f8b7477208162991d90742ff802e8d9be7e25d2b6853f07f5
Opcode Fuzzy Hash: 0c6625b0c231b56218a6c8fd57c5693487d7bbc2f7dc14ffcd092ca3902fe1af
Instruction Fuzzy Hash: 31E0C276A042245BCB20E6989C0AFEA77EDDFC9790F0501B1FD09E7248DA60ADC49690

Function 00C12B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C13837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C13908

Part of subcall function 00C1D730: GetInputState.USER32 ref: 00C1D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C12B6B

Part of subcall function 00C130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C1314E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3b9533b532a987c4f41e1e7c4b1a538732baa5654081178cef343ea6c7544015
Instruction ID: b3e6a785c25b9396e3a64328fdc571ab5ab12e05430ffaf90ac3e0c87b232de3
Opcode Fuzzy Hash: 3b9533b532a987c4f41e1e7c4b1a538732baa5654081178cef343ea6c7544015
Instruction Fuzzy Hash: EEE026313042C407CA04BB30A8526EDA3998BD3319F00043EF143472E2CE308AD57352

Function 00C5039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C50704,?,?,00000000,?,00C50704,00000000,0000000C), ref: 00C503B7

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8678e3a9d1b62abc64c9f296d45c58f3279465bd3b52d68aa2d1e5ec9849570e
Instruction ID: 3d89e53b540e66d35c750de6e90375187ba107a42f7e33baa0d810f9b2d833b0
Opcode Fuzzy Hash: 8678e3a9d1b62abc64c9f296d45c58f3279465bd3b52d68aa2d1e5ec9849570e
Instruction Fuzzy Hash: EDD06C3214010DBBDF028F84DD46EDE3BAAFB48714F014000BE1856020C736E821AB90

Function 00C11CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C11CBC

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3d67ceb70d14e527785581e1b9f84decc9b200862f71dfa49b701ca1146745cc
Instruction ID: c838fcc5682a6e38b41c8ac5e908f5553f484c40a0e506ed8389af4a87ac3e93
Opcode Fuzzy Hash: 3d67ceb70d14e527785581e1b9f84decc9b200862f71dfa49b701ca1146745cc
Instruction Fuzzy Hash: D6C09B352803449FF2144B80BDCAF287754A348B04F444001F6095D5F3C7B11820F650

Non-executed Functions

Function 00CA9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CA961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CA965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CA969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CA96C9
SendMessageW.USER32 ref: 00CA96F2
GetKeyState.USER32(00000011), ref: 00CA978B
GetKeyState.USER32(00000009), ref: 00CA9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CA97AE
GetKeyState.USER32(00000010), ref: 00CA97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CA97E9
SendMessageW.USER32 ref: 00CA9810
SendMessageW.USER32(?,00001030,?,00CA7E95), ref: 00CA9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CA992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CA9941
SetCapture.USER32(?), ref: 00CA994A
ClientToScreen.USER32(?,?), ref: 00CA99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CA99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CA99D6
ReleaseCapture.USER32 ref: 00CA99E1
GetCursorPos.USER32(?), ref: 00CA9A19
ScreenToClient.USER32(?,?), ref: 00CA9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CA9A80
SendMessageW.USER32 ref: 00CA9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CA9AEB
SendMessageW.USER32 ref: 00CA9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CA9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CA9B4A
GetCursorPos.USER32(?), ref: 00CA9B68
ScreenToClient.USER32(?,?), ref: 00CA9B75
GetParent.USER32(?), ref: 00CA9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CA9BFA
SendMessageW.USER32 ref: 00CA9C2B
ClientToScreen.USER32(?,?), ref: 00CA9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CA9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CA9CDE
SendMessageW.USER32 ref: 00CA9D01
ClientToScreen.USER32(?,?), ref: 00CA9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CA9D82

Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952

GetWindowLongW.USER32(?,000000F0), ref: 00CA9E05

Strings

F, xrefs: 00CA9D07
pE, xrefs: 00CA9990
@GUI_DRAGID, xrefs: 00CA997D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$pE
API String ID: 3429851547-945302107
Opcode ID: f7dc11941d8284e1bffe9e5f3ec71ce59d4e1047926dafca464021488d40499b
Instruction ID: d303cc1e76eb2ab5ab980daf74531a1f711105e4c26a8a7512629bc0a1a2a662
Opcode Fuzzy Hash: f7dc11941d8284e1bffe9e5f3ec71ce59d4e1047926dafca464021488d40499b
Instruction Fuzzy Hash: 8842AE34604642AFDB24CF24CC85BAABBF5FF4A328F140619FA69872A1D731D960DF51

Function 00CA4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CA48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CA4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CA4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CA494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CA495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CA497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CA49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CA49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CA4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CA4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CA4A7E
IsMenu.USER32(?), ref: 00CA4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CA4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CA4B20
GetWindowLongW.USER32(?,000000F0), ref: 00CA4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CA4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CA4C82
wsprintfW.USER32 ref: 00CA4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CA4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CA4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CA4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CA4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CA4D5A

Strings

%d/%02d/%02d, xrefs: 00CA4CA8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6cd2cc6d5727b9f8cf4067655eb6e82f5599aef9870d8b5aa85f9aaf383a99d2
Instruction ID: e9447693c7b19b627af0f9c804cd16e079563ffe6c411d6af2d604d0cd925304
Opcode Fuzzy Hash: 6cd2cc6d5727b9f8cf4067655eb6e82f5599aef9870d8b5aa85f9aaf383a99d2
Instruction Fuzzy Hash: E4121631500215AFEB298F64DC49FAE7BF8EF86318F104129F525EB1E1DBB49A41CB50

Function 00C2F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C2F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C6F474
IsIconic.USER32(00000000), ref: 00C6F47D
ShowWindow.USER32(00000000,00000009), ref: 00C6F48A
SetForegroundWindow.USER32(00000000), ref: 00C6F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C6F4AA
GetCurrentThreadId.KERNEL32 ref: 00C6F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C6F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C6F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C6F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C6F4DE
SetForegroundWindow.USER32(00000000), ref: 00C6F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F4F6
keybd_event.USER32(00000012,00000000), ref: 00C6F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F50B
keybd_event.USER32(00000012,00000000), ref: 00C6F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F519
keybd_event.USER32(00000012,00000000), ref: 00C6F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F528
keybd_event.USER32(00000012,00000000), ref: 00C6F52D
SetForegroundWindow.USER32(00000000), ref: 00C6F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C6F557

Strings

Shell_TrayWnd, xrefs: 00C6F46F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: e35c545211c605e56ddc1407cd67be39b372d3167805377b7615c36675da43b9
Instruction ID: 923f81d4c0974491dce129f99dc01ca37a52a3ed33cf28bcc7bc4a06abf24b69
Opcode Fuzzy Hash: e35c545211c605e56ddc1407cd67be39b372d3167805377b7615c36675da43b9
Instruction Fuzzy Hash: 5F313271A40218BFEB316BB55C8AFBF7E7CEB45B54F100069FA01E71D1CAB15D11AA60

Function 00C71201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7170D
Part of subcall function 00C716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7173A
Part of subcall function 00C716C3: GetLastError.KERNEL32 ref: 00C7174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C71286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C712A8
CloseHandle.KERNEL32(?), ref: 00C712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C712D1
GetProcessWindowStation.USER32 ref: 00C712EA
SetProcessWindowStation.USER32(00000000), ref: 00C712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C71310

Part of subcall function 00C710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C711FC), ref: 00C710D4
Part of subcall function 00C710BF: CloseHandle.KERNEL32(?,?,00C711FC), ref: 00C710E9

Strings

default, xrefs: 00C7130B
winsta0, xrefs: 00C712CC
, xrefs: 00C7125A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 985105c6cb3d6c159a304d7bff137729aa669443471026429f1a86296705eaee
Instruction ID: b830dcd230acb9578e5415b3137293b6edf47fa91ccd28ca38c50db1c3b290b1
Opcode Fuzzy Hash: 985105c6cb3d6c159a304d7bff137729aa669443471026429f1a86296705eaee
Instruction Fuzzy Hash: 5881A171900209AFDF219FA9DC49FEE7BB9EF05704F188129FD28E61A0D7348A44CB60

Function 00C70B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C71114
Part of subcall function 00C710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71120
Part of subcall function 00C710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C7112F
Part of subcall function 00C710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71136
Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C70BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C70C00
GetLengthSid.ADVAPI32(?), ref: 00C70C17
GetAce.ADVAPI32(?,00000000,?), ref: 00C70C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C70C6D
GetLengthSid.ADVAPI32(?), ref: 00C70C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C70C8C
HeapAlloc.KERNEL32(00000000), ref: 00C70C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C70CB4
CopySid.ADVAPI32(00000000), ref: 00C70CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C70CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C70D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C70D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70D45
HeapFree.KERNEL32(00000000), ref: 00C70D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70D55
HeapFree.KERNEL32(00000000), ref: 00C70D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70D65
HeapFree.KERNEL32(00000000), ref: 00C70D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C70D78
HeapFree.KERNEL32(00000000), ref: 00C70D7F

Part of subcall function 00C71193: GetProcessHeap.KERNEL32(00000008,00C70BB1,?,00000000,?,00C70BB1,?), ref: 00C711A1
Part of subcall function 00C71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C70BB1,?), ref: 00C711A8
Part of subcall function 00C71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C70BB1,?), ref: 00C711B7

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 32623099828cf343ad759f6529ff5581a51bbaa13d6ad15ad31d3a161c0c6b35
Instruction ID: 9b3526b69e50e148c8fc96943df08977017a289bd129e5063c991da881bc2f0f
Opcode Fuzzy Hash: 32623099828cf343ad759f6529ff5581a51bbaa13d6ad15ad31d3a161c0c6b35
Instruction Fuzzy Hash: 3F716D71A0020AEBDF10DFA5DC84FEEBBB8BF15304F148519F929A7291D771AA05CB60

Function 00C8EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CACC08), ref: 00C8EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C8EB37
GetClipboardData.USER32(0000000D), ref: 00C8EB43
CloseClipboard.USER32 ref: 00C8EB4F
GlobalLock.KERNEL32(00000000), ref: 00C8EB87
CloseClipboard.USER32 ref: 00C8EB91
GlobalUnlock.KERNEL32(00000000), ref: 00C8EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00C8EBC9
GetClipboardData.USER32(00000001), ref: 00C8EBD1
GlobalLock.KERNEL32(00000000), ref: 00C8EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00C8EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00C8EC38
GetClipboardData.USER32(0000000F), ref: 00C8EC44
GlobalLock.KERNEL32(00000000), ref: 00C8EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C8EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C8EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C8ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00C8ECF3
CountClipboardFormats.USER32 ref: 00C8ED14
CloseClipboard.USER32 ref: 00C8ED59

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: ab582d547fa1a0e494a7cf840864fb9bd43abfa697df63c013885e150f8d67ac
Instruction ID: b3054bbf44e5fb664a5d2af0fd31b6c5089bafd1c599c9345f04ff831cb53158
Opcode Fuzzy Hash: ab582d547fa1a0e494a7cf840864fb9bd43abfa697df63c013885e150f8d67ac
Instruction Fuzzy Hash: 8861BF342042019FD300EF24D895F7EB7E4EF86718F144519F466972A2DB31EE4ADBA6

Function 00C8698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C869BE
FindClose.KERNEL32(00000000), ref: 00C86A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C86A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C86A75

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00C86AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C86ADF

Strings

%4d, xrefs: 00C86BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00C86B6A
%03d, xrefs: 00C86DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00C86B32
%02d, xrefs: 00C86C00, 00C86C0A, 00C86C5A, 00C86CAA, 00C86CFA, 00C86D4A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 36488f5929d42c4ba16e75b520ea4266a0c9476be346b227772453784affd4c1
Instruction ID: c16cc7276f3858ae5a934261cd0b74fa9111227c9dea95d06642a1db20d35975
Opcode Fuzzy Hash: 36488f5929d42c4ba16e75b520ea4266a0c9476be346b227772453784affd4c1
Instruction Fuzzy Hash: 1DD15E72508300AFC314EBA4D891EAFB7ECAF89704F04492DF595C7291EB74DA45EB62

Function 00C89642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C89663
GetFileAttributesW.KERNEL32(?), ref: 00C896A1
SetFileAttributesW.KERNEL32(?,?), ref: 00C896BB
FindNextFileW.KERNEL32(00000000,?), ref: 00C896D3
FindClose.KERNEL32(00000000), ref: 00C896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00C896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8974A
SetCurrentDirectoryW.KERNEL32(00CD6B7C), ref: 00C89768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C89772
FindClose.KERNEL32(00000000), ref: 00C8977F
FindClose.KERNEL32(00000000), ref: 00C8978F

Strings

*.*, xrefs: 00C896F5

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2efca4a01feb5f7e0a26a879f5e22daff292350ba86c56e87fa5db827f0d1363
Instruction ID: 5864703d5ce4aeb124cca40ab01f5983de2ac4ca1127a3afc97061857f7e6aff
Opcode Fuzzy Hash: 2efca4a01feb5f7e0a26a879f5e22daff292350ba86c56e87fa5db827f0d1363
Instruction Fuzzy Hash: 4531B0325012197ADB14BFB4DC49BEE77ACDF4A328F184166F915E31A0EB34DE408B58

Function 00C8979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00C89819
FindClose.KERNEL32(00000000), ref: 00C89824
FindFirstFileW.KERNEL32(*.*,?), ref: 00C89840
SetCurrentDirectoryW.KERNEL32(?), ref: 00C89890
SetCurrentDirectoryW.KERNEL32(00CD6B7C), ref: 00C898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C898B8
FindClose.KERNEL32(00000000), ref: 00C898C5
FindClose.KERNEL32(00000000), ref: 00C898D5

Part of subcall function 00C7DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C7DB00

Strings

*.*, xrefs: 00C8983B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9e22c776942402643d04734d45fce189ca331edd2803b126a9885d47d9fdf7f5
Instruction ID: 9f4eaa2f47800a5430fee4fd252755d82378d8c59968c8c5712c003688f9528c
Opcode Fuzzy Hash: 9e22c776942402643d04734d45fce189ca331edd2803b126a9885d47d9fdf7f5
Instruction Fuzzy Hash: 5731923150161A7ADF14BFA4DC48BEE77ACDF06328F184166E924A31E0DB31DE44DB68

Function 00C9BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00C9BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00C9BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C9C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C9C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C9C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C9C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00C9C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C9C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C9C382
RegCloseKey.ADVAPI32(00000000), ref: 00C9C38F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 2374647878dac4494504714f509c1e96b1ab71edf78f641701dfe87b62b9a594
Instruction ID: f4bd17a215c3266d1fe7a5995c719c6fce9c3b095a8365424a16c42c18d4ee11
Opcode Fuzzy Hash: 2374647878dac4494504714f509c1e96b1ab71edf78f641701dfe87b62b9a594
Instruction Fuzzy Hash: 4E024C71604200AFDB14CF28C8D5E6ABBE5EF49308F18849DF85ACB2A2D731ED45DB51

Function 00C88195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C88257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C88267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C88273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C88310
SetCurrentDirectoryW.KERNEL32(?), ref: 00C88324
SetCurrentDirectoryW.KERNEL32(?), ref: 00C88356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C8838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00C88395

Strings

*.*, xrefs: 00C8839B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 57004ca5c9f19fbe13cf5d8a875840798b9e97350820e2e10f749e9b1c919864
Instruction ID: 00dd1889fdd3c7ef77a8edcd24473cfd6a4942c0c2674699fc445a1bec6809a8
Opcode Fuzzy Hash: 57004ca5c9f19fbe13cf5d8a875840798b9e97350820e2e10f749e9b1c919864
Instruction Fuzzy Hash: 3C61AF725043059FCB10EF64C884AAEB3E8FF89314F44891EF999C7251EB31E949DB96

Function 00C7D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2

Part of subcall function 00C7E199: GetFileAttributesW.KERNEL32(?,00C7CF95), ref: 00C7E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C7D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C7D1DD
MoveFileW.KERNEL32(?,?), ref: 00C7D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C7D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7D237

Part of subcall function 00C7D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C7D21C,?,?), ref: 00C7D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00C7D253
FindClose.KERNEL32(00000000), ref: 00C7D264

Strings

\*.*, xrefs: 00C7D0CD, 00C7D0D6, 00C7D0EB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 06fe90a32f38850a1b4add2eb729cca87ce5ab78a5c8479e6f0d2c06ca34ea91
Instruction ID: 346603091191f4baccfbad29ac0497b520a665c36da269716e70684a4875cb74
Opcode Fuzzy Hash: 06fe90a32f38850a1b4add2eb729cca87ce5ab78a5c8479e6f0d2c06ca34ea91
Instruction Fuzzy Hash: C7619F31C0114D9FCF05EBE0C992AEDB7B5AF56304F648165E41A771A2EB306F4AEB60

Function 00C8ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C8ED91
EmptyClipboard.USER32 ref: 00C8ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00C8EDAC
CloseClipboard.USER32 ref: 00C8EEA3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f5f17989e915222f1495c918e21ceef1ac91ef38faa81022fbd1d9311da75b0d
Instruction ID: ae2a4e78ac24e53f7135333d19a614ac30d6e6a7c44fcfc904dd62565cc66dd7
Opcode Fuzzy Hash: f5f17989e915222f1495c918e21ceef1ac91ef38faa81022fbd1d9311da75b0d
Instruction Fuzzy Hash: 59418B35204611AFE720EF15D888B59BBE5EF4532CF14C099F4298B7A2C735ED42CB94

Function 00C7E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7170D
Part of subcall function 00C716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7173A
Part of subcall function 00C716C3: GetLastError.KERNEL32 ref: 00C7174A

ExitWindowsEx.USER32(?,00000000), ref: 00C7E932

Strings

SeShutdownPrivilege, xrefs: 00C7E902
, xrefs: 00C7E920
, xrefs: 00C7E95C
@, xrefs: 00C7E925

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 2cbe07943716d6222a9297ce9e09c8ff6081105087fe7c9f8e64ce2c456a3288
Instruction ID: 5ba57ae9c2c6692cac9b92d5975b65f7302b6dba7432f4e8264bb98a3cd179b1
Opcode Fuzzy Hash: 2cbe07943716d6222a9297ce9e09c8ff6081105087fe7c9f8e64ce2c456a3288
Instruction Fuzzy Hash: 3A014933610211AFEB6426B99CCAFFF725C9708754F18C462FE1BE31D1D6A05D409290

Function 00C91204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C91276
WSAGetLastError.WSOCK32 ref: 00C91283
bind.WSOCK32(00000000,?,00000010), ref: 00C912BA
WSAGetLastError.WSOCK32 ref: 00C912C5
closesocket.WSOCK32(00000000), ref: 00C912F4
listen.WSOCK32(00000000,00000005), ref: 00C91303
WSAGetLastError.WSOCK32 ref: 00C9130D
closesocket.WSOCK32(00000000), ref: 00C9133C

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 4277d29b679ae937f560bda7b154a6af7dd75b9707a6b951ebe5d2a7c6d4eb67
Instruction ID: 50d5365d644ff7cd108697e16cc3d1b0be8b01e63d005c3da042485e372f8447
Opcode Fuzzy Hash: 4277d29b679ae937f560bda7b154a6af7dd75b9707a6b951ebe5d2a7c6d4eb67
Instruction Fuzzy Hash: CD4173316001419FDB10EF64C4C9B69BBE5BF46318F188198E8669F2D2C775ED81CBE1

Function 00C7D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2

Part of subcall function 00C7E199: GetFileAttributesW.KERNEL32(?,00C7CF95), ref: 00C7E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C7D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C7D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7D481
FindClose.KERNEL32(00000000), ref: 00C7D498
FindClose.KERNEL32(00000000), ref: 00C7D4A1

Strings

\*.*, xrefs: 00C7D3F2

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 78018e081f179cf251ed44304bced2f69ccb3383b7401049a7fa3d7e9c24060b
Instruction ID: 6842e7528b7086087198afd85b1549ff7594323606f316ccdfc8776edc8dd0ef
Opcode Fuzzy Hash: 78018e081f179cf251ed44304bced2f69ccb3383b7401049a7fa3d7e9c24060b
Instruction Fuzzy Hash: 223182710093419FC300EF64C8959EFB7E8BE92314F448A1DF4E6531A1EB30AA49EB63

Function 00C4E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C4E645

Strings

1#QNAN, xrefs: 00C4F84B
1#SNAN, xrefs: 00C4F844
1#INF, xrefs: 00C4F852
1#IND, xrefs: 00C4F83D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 410ef73c84bd9a56208c392662da350cc741968523cac10b96c0a74efe3d7c87
Instruction ID: a83fd9730878d486a1dc7fca97311a091d81e5397e0b51e8a639bc602c3393c2
Opcode Fuzzy Hash: 410ef73c84bd9a56208c392662da350cc741968523cac10b96c0a74efe3d7c87
Instruction Fuzzy Hash: A4C23A72E046288FDB25CE28DD407EAB7B5FB49315F1541EAD85DE7280E774AE828F40

Function 00C8648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C864DC
CoInitialize.OLE32(00000000), ref: 00C86639
CoCreateInstance.OLE32(00CAFCF8,00000000,00000001,00CAFB68,?), ref: 00C86650
CoUninitialize.OLE32 ref: 00C868D4

Strings

.lnk, xrefs: 00C864BA, 00C86524, 00C865E0

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1ef4eff4fd1909fe1d7694d4576304a2f4313b8595020a7192cfcadd3a52f7b0
Instruction ID: a1ee4467611bf2f71af9663140abd31a7e1f63a0ece63222326b3847c22105be
Opcode Fuzzy Hash: 1ef4eff4fd1909fe1d7694d4576304a2f4313b8595020a7192cfcadd3a52f7b0
Instruction Fuzzy Hash: 2AD14B71508301AFD304EF64C891AABB7E8FF99708F00496DF5958B291DB70EE46DB92

Function 00C922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00C922E8

Part of subcall function 00C8E4EC: GetWindowRect.USER32(?,?), ref: 00C8E504

GetDesktopWindow.USER32 ref: 00C92312
GetWindowRect.USER32(00000000), ref: 00C92319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C92355
GetCursorPos.USER32(?), ref: 00C92381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C923DF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b81d616df88a976d8a95ff010932c24f8e72aff0a500cbbf2e2460f38ed5c356
Instruction ID: 9d5d4be7bc95b757c138a3acdefb6ab89f140163e27e25b19d7aa6fb04eebd38
Opcode Fuzzy Hash: b81d616df88a976d8a95ff010932c24f8e72aff0a500cbbf2e2460f38ed5c356
Instruction Fuzzy Hash: 2031FE72504315AFCB20DF14C849F9BBBADFF88714F000919F99897191DB34EA08CB92

Function 00C89B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C89B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C89C8B

Part of subcall function 00C83874: GetInputState.USER32 ref: 00C838CB
Part of subcall function 00C83874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C83966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C89BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C89C75

Strings

*.*, xrefs: 00C89B5D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cfd9b39f80ff6c258302822064668e23c6786815251343e8b2b4d56524b03cbb
Instruction ID: 3ac44d4ff78999e4f74b1ea33c8873cadde8860617dcecc82b4f1edb507b8333
Opcode Fuzzy Hash: cfd9b39f80ff6c258302822064668e23c6786815251343e8b2b4d56524b03cbb
Instruction Fuzzy Hash: 4541717190020AAFDF15EFA4C885AFEBBB4EF46314F14415AE815A3191EB319F84DF64

Function 00C2997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C29A4E
GetSysColor.USER32(0000000F), ref: 00C29B23
SetBkColor.GDI32(?,00000000), ref: 00C29B36

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 95f9e1c0417b10cf0901eb4a7801236ec78a4380d3bffb4c27e412d5ef429c91
Instruction ID: ff0996f53c95b79afa399f1ae77a3d5149b16e116aec00ae80e0c45a4e75c88b
Opcode Fuzzy Hash: 95f9e1c0417b10cf0901eb4a7801236ec78a4380d3bffb4c27e412d5ef429c91
Instruction Fuzzy Hash: F3A13770108564EEE739AA2DACC9E7F269DDF43308F150609F522DADA1CA35DE41E271

Function 00C91806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C9307A
Part of subcall function 00C9304E: _wcslen.LIBCMT ref: 00C9309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C9185D
WSAGetLastError.WSOCK32 ref: 00C91884
bind.WSOCK32(00000000,?,00000010), ref: 00C918DB
WSAGetLastError.WSOCK32 ref: 00C918E6
closesocket.WSOCK32(00000000), ref: 00C91915

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 722c28c48615a5d6fe5660fd411ba61465aef6c286d4e14202123984ddc28ea1
Instruction ID: 3d5584aac58c5453319ee5b3a5e6110b8948b8ee40130347cc91b7d1dfcb5fe0
Opcode Fuzzy Hash: 722c28c48615a5d6fe5660fd411ba61465aef6c286d4e14202123984ddc28ea1
Instruction Fuzzy Hash: D651B371A00210AFDB10AF24D88AF6A77E5AB45718F188098F9159F3D3D771ED41EBA1

Function 00CA1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CA1CC0
IsWindowEnabled.USER32 ref: 00CA1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CA1CDB
IsIconic.USER32 ref: 00CA1CE9
IsZoomed.USER32 ref: 00CA1CF7

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5b7f1c1f2e9e52d5300573d50f6330ed95c96b8ad649c2281661aa98d181c1c7
Instruction ID: 52459e67f90c1292a1c9c0ce949a117be2bbf1a752b3bc49b672a58e89a346f3
Opcode Fuzzy Hash: 5b7f1c1f2e9e52d5300573d50f6330ed95c96b8ad649c2281661aa98d181c1c7
Instruction Fuzzy Hash: 66219F317406125FD7218F2AC884B6A7BE5EF8632CF1D8068E8568B351CB71ED42DB94

Function 00C18060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C183E8
VUUU, xrefs: 00C1843C
VUUU, xrefs: 00C183FA
VUUU, xrefs: 00C55DF0
ERCP, xrefs: 00C1813C

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1a38536d152957bac10c73461c9699d211b5c5b5de7b6ec4b75f7ae0d24172de
Instruction ID: fe406dc31e7628f22cc89dd2df615f0e82a2a9415cb22bdb497157a3d48a6544
Opcode Fuzzy Hash: 1a38536d152957bac10c73461c9699d211b5c5b5de7b6ec4b75f7ae0d24172de
Instruction Fuzzy Hash: 41A2AE74E0461ACBDF24CF58C8507EEB7B1BB55311F6481A9EC25A7280EB309EC9DB94

Function 00C7AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C7AAAC
SetKeyboardState.USER32(00000080), ref: 00C7AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C7AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C7AB88

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 02f17f708fb345e748fc4d95405730061295b07a539c662b5f0ee1eb2e912122
Instruction ID: f2b0867b383ab15e6023c237aa8df25e781761fb8164e487c19ef1caeb707cf3
Opcode Fuzzy Hash: 02f17f708fb345e748fc4d95405730061295b07a539c662b5f0ee1eb2e912122
Instruction Fuzzy Hash: 0C311870A40208AFFF35CA65CC05BFE7BA6EBC5310F04C21AF199561D1D3749A85D7A2

Function 00C4BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C4BB7F

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

GetTimeZoneInformation.KERNEL32 ref: 00C4BB91
WideCharToMultiByte.KERNEL32(00000000,?,00CE121C,000000FF,?,0000003F,?,?), ref: 00C4BC09
WideCharToMultiByte.KERNEL32(00000000,?,00CE1270,000000FF,?,0000003F,?,?,?,00CE121C,000000FF,?,0000003F,?,?), ref: 00C4BC36

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 7a874c74ace0299fc58b1ca3638a92103ae8361e5469664dbce3da17df66a6e1
Instruction ID: 67326fb09635e921603fae1a21607365747ed91101709e1d6755656044d63ecb
Opcode Fuzzy Hash: 7a874c74ace0299fc58b1ca3638a92103ae8361e5469664dbce3da17df66a6e1
Instruction Fuzzy Hash: 1931AF71904245DFCB11DF6ACCC0A6DBBB8FF4632071846AAE560DB2B1D7309E51DB90

Function 00C8CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00C8CE89
GetLastError.KERNEL32(?,00000000), ref: 00C8CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00C8CEFE

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 23610c7ac831c0e3ba280ac5e41b62580356e9fd803e50357c981c966e46277d
Instruction ID: f72ce9c5a990b5995e92bf70b9c9cc8d674e1a75c593d77ff1f933ee7c3f7191
Opcode Fuzzy Hash: 23610c7ac831c0e3ba280ac5e41b62580356e9fd803e50357c981c966e46277d
Instruction Fuzzy Hash: 5321BD71500305ABEB30EFA5C988BAAB7F8EB50318F10441EE656D2151EB74EE049B68

Function 00C78298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C782AA

Strings

|, xrefs: 00C782DA
(, xrefs: 00C782F0

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: fcc459b754abe5462579cbbdbdd1e52b3d154350530d50b2e51e1733745b9a69
Instruction ID: ae9bd85e39902a8ff3419827db06c5350606f1c3d08549a44b5cd1cf9f165d30
Opcode Fuzzy Hash: fcc459b754abe5462579cbbdbdd1e52b3d154350530d50b2e51e1733745b9a69
Instruction Fuzzy Hash: C9323674A007059FCB28CF69C085A6AB7F0FF48710B15C56EE5AADB7A1EB70E941CB50

Function 00C85C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C85CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00C85D17
FindClose.KERNEL32(?), ref: 00C85D5F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e7a161831c0f21224f296e1b75d2f8c151896a867c39bcb8ccbf22983ee8e43a
Instruction ID: 31bfc3ddfbca2101ed57623dd027a17c45aa67d015f4031f2540ef8a09a4aa63
Opcode Fuzzy Hash: e7a161831c0f21224f296e1b75d2f8c151896a867c39bcb8ccbf22983ee8e43a
Instruction Fuzzy Hash: 27519974604A019FC714EF28C494A9AB7E4FF4A318F14855EE96A8B3A2CB70ED45CF91

Function 00C42622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C4271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C42724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C42731

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b2a2e7f47e5e7b916f240b3926fbcc8c6ab46d69a26f538d0bff18c11d64a6b9
Instruction ID: 8c30f725d9dec06c0dd91ae06de8547ee204fd7c8bfb8ed0fc42230bda738134
Opcode Fuzzy Hash: b2a2e7f47e5e7b916f240b3926fbcc8c6ab46d69a26f538d0bff18c11d64a6b9
Instruction Fuzzy Hash: E531A27591121CABCB21DF68D9897DDBBB8BF08310F5041EAE81CA7261E7709F819F45

Function 00C851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C85238
SetErrorMode.KERNEL32(00000000), ref: 00C852A1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cd57ff228f3b2430ba7b32fc8d2e35d163823a9a3ef9feef6c51dd38eee506aa
Instruction ID: 61caebde287bb17ff8940858f865fa32334aa1ca2f121f1d68023dcc5453e6e0
Opcode Fuzzy Hash: cd57ff228f3b2430ba7b32fc8d2e35d163823a9a3ef9feef6c51dd38eee506aa
Instruction Fuzzy Hash: BC312B75A005189FDB00EF94D8C4FADBBB5FF49318F048099E905AB3A2DB71E956CB90

Function 00C716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C30668
Part of subcall function 00C2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C30685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7173A
GetLastError.KERNEL32 ref: 00C7174A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 02f8f302de5661ad30f5d1b4ca3330f2dd9feebe6be8ff91f1ec48d593986c76
Instruction ID: 95afc9644fc49420901adc2015bfe554fce427b6e08aecd6252694bed578d075
Opcode Fuzzy Hash: 02f8f302de5661ad30f5d1b4ca3330f2dd9feebe6be8ff91f1ec48d593986c76
Instruction Fuzzy Hash: 2E1191B2414308AFD7189F54ECC6E6AB7BDEB44714B24C52EF45657641EB70BC428A20

Function 00C7D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C7D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C7D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C7D650

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c7855c093ac968e1313c3222559917f35219d161852a5147b9f8f63ebaa309cf
Instruction ID: eed8662c7cf55e8935ce41db6e9080b8e44a9254a1029fd949942f90c9a45d6f
Opcode Fuzzy Hash: c7855c093ac968e1313c3222559917f35219d161852a5147b9f8f63ebaa309cf
Instruction Fuzzy Hash: F6115E75E05228BFDB108F95DC85FAFBBBCEB45B60F108515F918E7290D6704A058BA1

Function 00C71663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C7168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C716A1
FreeSid.ADVAPI32(?), ref: 00C716B1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: bff7a0d9a5cb832bfb21b234867fe59d512c323820def197e7ea3a00f5fd32e8
Instruction ID: 898343ee388d655ec6f12f1e0bc00277d922201809b093cc4f8b6086b2058117
Opcode Fuzzy Hash: bff7a0d9a5cb832bfb21b234867fe59d512c323820def197e7ea3a00f5fd32e8
Instruction Fuzzy Hash: B4F0F47195030DFBDB00DFE4DC89AAEBBBCEB08604F508565E901E2181E774AA448A50

Function 00C6D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C6D28C

Strings

X64, xrefs: 00C6D2A8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: be7f165c43e8ae9649a83f4ff9f4f0fe053e62017de12ad1a16b1745a99e20e0
Instruction ID: cbc79ea8dae363fc5df70ce96358180b562a8a6ce589af106061b0a5be7de481
Opcode Fuzzy Hash: be7f165c43e8ae9649a83f4ff9f4f0fe053e62017de12ad1a16b1745a99e20e0
Instruction Fuzzy Hash: DBD0CAB480116DEACBA0CBA0ECC8EDEB7BCBB14309F100292F106A2000DB309A488F20

Function 00C3CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 8894962b4598f3fe915d4ca39a0204fc49701403902d9fcb38243183b20ce92a
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: F2021D72E102199BDF14DFA9D8C06ADFBF1EF48314F258169D829F7384D731AA418B94

Function 00C1CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C60C40
pE, xrefs: 00C1CF7F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$pE
API String ID: 0-1586003432
Opcode ID: ee29227a30e8f850d9649cdefe14f00c80b9280e634b383e88010174faedf57d
Instruction ID: 5a7f2ca92053cd82ee79e8c1a6cdb1a61c29ffaf67184bf4616391ccaec4885d
Opcode Fuzzy Hash: ee29227a30e8f850d9649cdefe14f00c80b9280e634b383e88010174faedf57d
Instruction Fuzzy Hash: DB32AE30940218DBCF24DF94D8D1AEEB7B5FF06304F248059F816AB292D735AE86EB51

Function 00C868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C86918
FindClose.KERNEL32(00000000), ref: 00C86961

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: eb4d9e66360b8a78f79573fa8fb2ba595ac58953673f747a709655c2c9e33bac
Instruction ID: 5a1de72ba758379a097a29bf80ed1de3cb38a48bdaacd57cb4514d162d054e32
Opcode Fuzzy Hash: eb4d9e66360b8a78f79573fa8fb2ba595ac58953673f747a709655c2c9e33bac
Instruction Fuzzy Hash: 1B117C316042109FC710DF69D488A1ABBE5EF85328F14C699E4698B7A2CB30EC45CB91

Function 00C837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C94891,?,?,00000035,?), ref: 00C837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C94891,?,?,00000035,?), ref: 00C837F4

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e43ce31e6a99222dc2997b5631f50ecdfc0c11d0d62e5cd3084d3c6ed89b303e
Instruction ID: cb73d12b166f1e19a0a27626f7a8fe1f3b4cce4565741aed640d70d5c22dd2ea
Opcode Fuzzy Hash: e43ce31e6a99222dc2997b5631f50ecdfc0c11d0d62e5cd3084d3c6ed89b303e
Instruction Fuzzy Hash: 38F0EC707052142AD71067664C8DFDB369DDFC5B65F000275F505D32D1D9609944C7B0

Function 00C7B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C7B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00C7B270

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: bc23a3b532b469837c1af17165f28f159e5f4f61b62308a9e8e3b725311218c3
Instruction ID: e16f186d3bd8d0b67185c778b6b6608db78b5e7884a08d45f57ec85398ce212b
Opcode Fuzzy Hash: bc23a3b532b469837c1af17165f28f159e5f4f61b62308a9e8e3b725311218c3
Instruction Fuzzy Hash: 63F0177180428EABDB059FA1C806BBE7BB4FF09309F00800AF965A61A2C37986119F94

Function 00C710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C711FC), ref: 00C710D4
CloseHandle.KERNEL32(?,?,00C711FC), ref: 00C710E9

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d8943918e0b4a7b1d4316ede3d70ab1057746560d9a9bfaafd7cd6a013d5d0d3
Instruction ID: 1bf079d85bd97b1309aa5e3218651f9687a906fe9dbff86da87f3f35ff50a1ac
Opcode Fuzzy Hash: d8943918e0b4a7b1d4316ede3d70ab1057746560d9a9bfaafd7cd6a013d5d0d3
Instruction Fuzzy Hash: EEE04F32004610AEE7252B15FC05FB777A9EF04320F14882DF4A6814B1DB626C90EB10

Function 00C4676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C46766,?,?,00000008,?,?,00C4FEFE,00000000), ref: 00C46998

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6f7e0484133966bb2604fb18c379eb1b12d0b42764fbd87d34a67e041b2ec68f
Instruction ID: 0925d2ffd9d8a33951c5a309b2772b0767da1d4e6bad6e5f0d2a04d9e028f324
Opcode Fuzzy Hash: 6f7e0484133966bb2604fb18c379eb1b12d0b42764fbd87d34a67e041b2ec68f
Instruction Fuzzy Hash: 2EB14C316106089FD715CF28C486B657BE0FF46368F258658E8E9CF2E6C335EA91CB41

Function 00C2B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C6851F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3196eb8806bcf009b612c7e23ca401bd271dd0cea73bfd2cca6050edd52228d1
Instruction ID: dfe0c99ed0e16f95f08f602380d8ce1aae399e6a3624bfc857e2ede2558a2488
Opcode Fuzzy Hash: 3196eb8806bcf009b612c7e23ca401bd271dd0cea73bfd2cca6050edd52228d1
Instruction Fuzzy Hash: 91127E71D002299BCB24DF59D8806EEB7F5FF48310F1481AAE859EB251DB309E85DF90

Function 00C8EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C8EABD

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2726b5a806b37ab9c7252284116c77cd4e646d98368d6a27c337248c587e7782
Instruction ID: 66d9ef0073953bd7545f71ba37ef35e0037187c3a25581f5ec9156968ab65642
Opcode Fuzzy Hash: 2726b5a806b37ab9c7252284116c77cd4e646d98368d6a27c337248c587e7782
Instruction Fuzzy Hash: 86E01A31200204AFC710EF5AD844E9ABBE9AF99764F008416FC49C7351DA70E881AB90

Function 00C309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C303EE), ref: 00C309DA

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fe9d2f5e2414aa138904cbd89e183879a4ac44fa8df305a4ccf03c403a4390aa
Instruction ID: bcd5e5b7ac518b4d10a9a3abc5cdc8a01e7340b3ceedb4279bfa92d12fd79366
Opcode Fuzzy Hash: fe9d2f5e2414aa138904cbd89e183879a4ac44fa8df305a4ccf03c403a4390aa
Instruction Fuzzy Hash:

Function 00C3781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C3798B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 3fb99e9943a86ff3dcaf643888caa725ae425c106688d0badbddf5a3c03b1c09
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 345168F163C7456BDF388569895EBBE63D99B06300F180B09E8A2EB2C2C615DF05E353

Function 00C46DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f13ecc687bd88667465eb24ecf397931a71fcb07ff248d553a8dbc6d7dfc077
Instruction ID: d2077ef76cba0b0e5c03431ffe619f395ff722b22e1f6bb21134b3159823f6f7
Opcode Fuzzy Hash: 8f13ecc687bd88667465eb24ecf397931a71fcb07ff248d553a8dbc6d7dfc077
Instruction Fuzzy Hash: BC321332D29F414DDB239635CC2233AA649BFB73C5F15D737E82AB5AA5EB29C5834100

Function 00C2CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89413fba1c3d778ee3237d6e3c89706a67a1afe8d13432c3e3442958e0eebbc
Instruction ID: eb0ebfad99496317d305605af0bc04efb408d1450eec7ecf53559cd84f238466
Opcode Fuzzy Hash: a89413fba1c3d778ee3237d6e3c89706a67a1afe8d13432c3e3442958e0eebbc
Instruction Fuzzy Hash: 50320531A042658BCF38CF69D8D467D7BA1EB45300F28856BD4EADB692D234DF81EB41

Function 00C17920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40108f5e4f9c121beec9a37d8b8793bf46366e84d137d008a01562b6c33fd73
Instruction ID: e44d7eefcba407515c2434a493a258d1f61a5c3d9e2f578758de0499de92dbc4
Opcode Fuzzy Hash: b40108f5e4f9c121beec9a37d8b8793bf46366e84d137d008a01562b6c33fd73
Instruction Fuzzy Hash: 2422F470A04609DFDF04CF65D891AEEB3F5FF45300F204229E816A72A1EB359E95EB54

Function 00C191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4e9be6b16b91a61068f9941345eb7e26934634925bc70afab6f25c5aca8bd7
Instruction ID: 05a39719ba85eb05b98ed9cbcb165f4f2bc05c520f3a78dcd83d55e0ccdc46a1
Opcode Fuzzy Hash: 9b4e9be6b16b91a61068f9941345eb7e26934634925bc70afab6f25c5aca8bd7
Instruction Fuzzy Hash: 5102E7B5E00209EBDB04DF64D881AAEB7B5FF44300F118169E816DB290EB31EF95DB95

Function 00C49EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9ed0d6c8847688aac8b9cd9d22f1bd0e2e628a8b0eab23a3a3f44eb1cfe6b2
Instruction ID: bd24718d2bb88eaf5885db3b7e0d24954258418df7d6a7b146eb6bcb3a6a4a78
Opcode Fuzzy Hash: 8d9ed0d6c8847688aac8b9cd9d22f1bd0e2e628a8b0eab23a3a3f44eb1cfe6b2
Instruction Fuzzy Hash: 96B1E220D2AF804DD3239639883133BB69CAFBB6D5F91D71BFC1674D62EB2286834140

Function 00C31C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 43338182a2d6a5f3ff183443a6a9bd893b949779adc219cc9a276c837356eab1
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BC9179721280A34EDB6A463E857407EFFE15A523A1B1E079DDCF2CA1C5FE14CA54D620

Function 00C31F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: bcd81bb5a3eaf161e274f3420697d77f8b60442c2b0ffbb760e8bd273c5585d2
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 91916A722190A34DDF6D467E857403DFFE15A923A1B1E079DD8F2CB1C5EE24CA58E620

Function 00C319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a9b82f9d75931e5631de39726bbb90f50f40b317f2a3a9231650aeba284e67ad
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 129187722190E34EDB2D427A857403DFFE15A923A6B1E079DD8F2CA1C1FD14C764E620

Function 00C37A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0e6c0761db7c23f07272b0b7a30dd4369b62ae0542d33859df5373bfe1e60d
Instruction ID: 643904d3a0b8dded7f6f7d9b4c675b06ab938f8e7f3d3393e007c86f766faf78
Opcode Fuzzy Hash: 3e0e6c0761db7c23f07272b0b7a30dd4369b62ae0542d33859df5373bfe1e60d
Instruction Fuzzy Hash: 88618AF1238309A7DE349A2C8CA5BBEB3A4DF41708F101B1AF853DB281D6119F46E755

Function 00C37CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00483d1692421cf4d7de9aaa8fe928b5afb94107b427faf4014b85e0458c3f8
Instruction ID: 20783a467cc73c73d66115a0ac3fb730ac9ed82e1e303e1df077d8fc2d714c0e
Opcode Fuzzy Hash: f00483d1692421cf4d7de9aaa8fe928b5afb94107b427faf4014b85e0458c3f8
Instruction Fuzzy Hash: 57617AF12387096BDE389A288896BFF2398DF41700F100B59F863DB281DA129F469355

Function 00C31706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fdd2b72d5224a755e2735ab1c4006bdc2c01ad347278ae12fdfbef849f14083a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 988187336191A34DDB6D863A853453EFFE15A923A1B1E079DD8F2CB1C1EE24C754E620

Function 00C82046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5550a333b2ee5a4d0324193588281bbc428a8f87a40c879ae749dc54e17023df
Instruction ID: 4896f08b01dbe2ad31923af2ea2efadf89ec975c4f780b72df6a0269d898cbea
Opcode Fuzzy Hash: 5550a333b2ee5a4d0324193588281bbc428a8f87a40c879ae749dc54e17023df
Instruction Fuzzy Hash: 7821E7326206118BDB28CF79C82377E73E9A794314F14862EE4A7C73D0DE75A904CB84

Function 00C92ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C92B30
DeleteObject.GDI32(00000000), ref: 00C92B43
DestroyWindow.USER32 ref: 00C92B52
GetDesktopWindow.USER32 ref: 00C92B6D
GetWindowRect.USER32(00000000), ref: 00C92B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C92CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C92CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92CF8
GetClientRect.USER32(00000000,?), ref: 00C92D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C92D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D80
GlobalLock.KERNEL32(00000000), ref: 00C92D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D98
GlobalUnlock.KERNEL32(00000000), ref: 00C92DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92DA8
GlobalFree.KERNEL32(00000000), ref: 00C92DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CAFC38,00000000), ref: 00C92DDB
GlobalFree.KERNEL32(00000000), ref: 00C92DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C92E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C92E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9303F

Strings

, xrefs: 00C92FC5
static, xrefs: 00C92D3A, 00C92E91
DISPLAY, xrefs: 00C92EA2
AutoIt v3, xrefs: 00C92CF2

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 6d607390641683a0ce40343edc66ff78a358d93fc7321751818443f9a491bd32
Instruction ID: 10dcbc83a2aa7fb9b659812adb289d66c99a7221f211a1db8fe5f5c058258945
Opcode Fuzzy Hash: 6d607390641683a0ce40343edc66ff78a358d93fc7321751818443f9a491bd32
Instruction Fuzzy Hash: 05027A71A00215AFDB14DFA4CC89FAE7BB9EB4A314F048158F915AB2A1DB74ED41CF60

Function 00CA70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CA712F
GetSysColorBrush.USER32(0000000F), ref: 00CA7160
GetSysColor.USER32(0000000F), ref: 00CA716C
SetBkColor.GDI32(?,000000FF), ref: 00CA7186
SelectObject.GDI32(?,?), ref: 00CA7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00CA71C0
GetSysColor.USER32(00000010), ref: 00CA71C8
CreateSolidBrush.GDI32(00000000), ref: 00CA71CF
FrameRect.USER32(?,?,00000000), ref: 00CA71DE
DeleteObject.GDI32(00000000), ref: 00CA71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00CA7230
FillRect.USER32(?,?,?), ref: 00CA7262
GetWindowLongW.USER32(?,000000F0), ref: 00CA7284

Part of subcall function 00CA73E8: GetSysColor.USER32(00000012), ref: 00CA7421
Part of subcall function 00CA73E8: SetTextColor.GDI32(?,?), ref: 00CA7425
Part of subcall function 00CA73E8: GetSysColorBrush.USER32(0000000F), ref: 00CA743B
Part of subcall function 00CA73E8: GetSysColor.USER32(0000000F), ref: 00CA7446
Part of subcall function 00CA73E8: GetSysColor.USER32(00000011), ref: 00CA7463
Part of subcall function 00CA73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CA7471
Part of subcall function 00CA73E8: SelectObject.GDI32(?,00000000), ref: 00CA7482
Part of subcall function 00CA73E8: SetBkColor.GDI32(?,00000000), ref: 00CA748B
Part of subcall function 00CA73E8: SelectObject.GDI32(?,?), ref: 00CA7498
Part of subcall function 00CA73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CA74B7
Part of subcall function 00CA73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CA74CE
Part of subcall function 00CA73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CA74DB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: eba278c8448569272170516b3ac13ba4e95ef714ba603f97f5adb2314e828589
Instruction ID: 1825546b286a3a670e1151d135764433183956d729aa00566dcbe3a44da242f0
Opcode Fuzzy Hash: eba278c8448569272170516b3ac13ba4e95ef714ba603f97f5adb2314e828589
Instruction Fuzzy Hash: 70A18D72508302AFDB119F60DC88B6F7BE9FB4A328F100B19FA62971A1D771E9449B51

Function 00C28D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C28E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C66AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C66AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C66F43

Part of subcall function 00C28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C28BE8,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C28FC5

SendMessageW.USER32(?,00001053), ref: 00C66F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C66F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C66FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C66FB7

Strings

0, xrefs: 00C66DCF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 18cfb282dc00eb57ac06d01982bc30b9e6b85a9065c0ee7caec26a0af51497c3
Instruction ID: 423f5199a2726ac168f175ca6106aa1df45e47ac56e33e74fddcd6d1c7c6aab7
Opcode Fuzzy Hash: 18cfb282dc00eb57ac06d01982bc30b9e6b85a9065c0ee7caec26a0af51497c3
Instruction Fuzzy Hash: D612CB34201251EFDB25CF28D8C4BAAB7E1FB45300F184469F4A58B662CB32ED66DF91

Function 00C92711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C9273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C9286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C92900
GetClientRect.USER32(00000000,?), ref: 00C9290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C92955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C92964
GetStockObject.GDI32(00000011), ref: 00C92974
SelectObject.GDI32(00000000,00000000), ref: 00C92978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C92988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C92991
DeleteDC.GDI32(00000000), ref: 00C9299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C92A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C92A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C92A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C92A77
GetStockObject.GDI32(00000011), ref: 00C92A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C92A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C92A97

Strings

msctls_progress32, xrefs: 00C92A13
static, xrefs: 00C9294F, 00C92A71
DISPLAY, xrefs: 00C9295A
AutoIt v3, xrefs: 00C928F8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: d9fe5674911840252d6cf6cc3ec526857399f12511b5f1b30713aa76edd1fa8d
Instruction ID: 14286c5f5c91f5e0945c844052df509b28b25d93db7abdbd4c14f05409be830b
Opcode Fuzzy Hash: d9fe5674911840252d6cf6cc3ec526857399f12511b5f1b30713aa76edd1fa8d
Instruction Fuzzy Hash: 24B14B71A00215BFEB14DFA8DC89FAE7BB9EB09714F044114FA15EB2A0D774AD40DBA4

Function 00C84ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C84AED
GetDriveTypeW.KERNEL32(?,00CACB68,?,\\.\,00CACC08), ref: 00C84BCA
SetErrorMode.KERNEL32(00000000,00CACB68,?,\\.\,00CACC08), ref: 00C84D36

Strings

Virtual, xrefs: 00C84CE5
SCSI, xrefs: 00C84C8A
Network, xrefs: 00C84C02
Fixed, xrefs: 00C84C09
PhysicalDrive, xrefs: 00C84B76
FileBackedVirtual, xrefs: 00C84CEC
Unknown, xrefs: 00C84BED, 00C84C83
SSA, xrefs: 00C84CA6
USB, xrefs: 00C84CB4
Fibre, xrefs: 00C84CAD
RAID, xrefs: 00C84CBB
1394, xrefs: 00C84C9F
ATAPI, xrefs: 00C84C91
SATA, xrefs: 00C84CD0
CDROM, xrefs: 00C84BFB
\\.\, xrefs: 00C84B3F
iSCSI, xrefs: 00C84CC2
ATA, xrefs: 00C84C98
RAMDisk, xrefs: 00C84BF4
Removable, xrefs: 00C84C10, 00C84C15
SSD, xrefs: 00C84C4A
MMC, xrefs: 00C84CDE
SAS, xrefs: 00C84CC9

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 982190b7a958e68fd323a9949ee7f0f627a08dd316889f94c7ea95f4bab3eeea
Instruction ID: 3deffb1f39202e7161e36c2d0435b6debddd5299b1dadc7fd2ea00d573e44cad
Opcode Fuzzy Hash: 982190b7a958e68fd323a9949ee7f0f627a08dd316889f94c7ea95f4bab3eeea
Instruction Fuzzy Hash: 9F61B030705207DBCB08FF25CA819BDB7B5AB45308B248426F916AB791DB71EE41EB49

Function 00CA73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CA7421
SetTextColor.GDI32(?,?), ref: 00CA7425
GetSysColorBrush.USER32(0000000F), ref: 00CA743B
GetSysColor.USER32(0000000F), ref: 00CA7446
CreateSolidBrush.GDI32(?), ref: 00CA744B
GetSysColor.USER32(00000011), ref: 00CA7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CA7471
SelectObject.GDI32(?,00000000), ref: 00CA7482
SetBkColor.GDI32(?,00000000), ref: 00CA748B
SelectObject.GDI32(?,?), ref: 00CA7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00CA74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CA74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00CA74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CA752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CA7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00CA7572
DrawFocusRect.USER32(?,?), ref: 00CA757D
GetSysColor.USER32(00000011), ref: 00CA758E
SetTextColor.GDI32(?,00000000), ref: 00CA7596
DrawTextW.USER32(?,00CA70F5,000000FF,?,00000000), ref: 00CA75A8
SelectObject.GDI32(?,?), ref: 00CA75BF
DeleteObject.GDI32(?), ref: 00CA75CA
SelectObject.GDI32(?,?), ref: 00CA75D0
DeleteObject.GDI32(?), ref: 00CA75D5
SetTextColor.GDI32(?,?), ref: 00CA75DB
SetBkColor.GDI32(?,?), ref: 00CA75E5

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d51de79c018901f78a50c74bd788f3b49d44e6bec3099b065fce481377512eee
Instruction ID: 473ee47aa2a1b511768ca825ac890939da090013599805de6514dcbf9cbe9347
Opcode Fuzzy Hash: d51de79c018901f78a50c74bd788f3b49d44e6bec3099b065fce481377512eee
Instruction Fuzzy Hash: 85615172D04219AFDB019FA4DC49BDE7FB9FB0A324F114125FA15A72A1D7709940DF90

Function 00CA0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CA1128
GetDesktopWindow.USER32 ref: 00CA113D
GetWindowRect.USER32(00000000), ref: 00CA1144
GetWindowLongW.USER32(?,000000F0), ref: 00CA1199
DestroyWindow.USER32(?), ref: 00CA11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CA11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CA121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00CA1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CA1245
IsWindowVisible.USER32(00000000), ref: 00CA12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CA12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CA12D0
GetWindowRect.USER32(00000000,?), ref: 00CA12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00CA130E
GetMonitorInfoW.USER32(00000000,?), ref: 00CA1328
CopyRect.USER32(?,?), ref: 00CA133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00CA13AA

Strings

(, xrefs: 00CA131B
tooltips_class32, xrefs: 00CA11E6
0, xrefs: 00CA10D3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f151216f7176fec2266e9f7e5717ec91a6084737bf69819f1f8c394831d0f28a
Instruction ID: 01c94dd985fbad93a4d2b98f6737169a776292fd5b43b44fa0cc6fdc284c0cc7
Opcode Fuzzy Hash: f151216f7176fec2266e9f7e5717ec91a6084737bf69819f1f8c394831d0f28a
Instruction Fuzzy Hash: A6B1AD71608342AFDB10DF64C884BAEBBE4FF86358F048918F9999B261C731EC45DB91

Function 00C28891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C28968
GetSystemMetrics.USER32(00000007), ref: 00C28970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C2899B
GetSystemMetrics.USER32(00000008), ref: 00C289A3
GetSystemMetrics.USER32(00000004), ref: 00C289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C28A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C28A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C28A5A
GetStockObject.GDI32(00000011), ref: 00C28A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C28A81

Part of subcall function 00C2912D: GetCursorPos.USER32(?), ref: 00C29141
Part of subcall function 00C2912D: ScreenToClient.USER32(00000000,?), ref: 00C2915E
Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000001), ref: 00C29183
Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000002), ref: 00C2919D

SetTimer.USER32(00000000,00000000,00000028,00C290FC), ref: 00C28AA8

Strings

AutoIt v3 GUI, xrefs: 00C28A20

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ec789efbbef0189a64813faaff9f9b647ffbe18e62b4932d6d4fea28127a3ce6
Instruction ID: fdeb915b3375add4de256f22df95b1081f7364a6fa61dc1be5b67e374744cd1d
Opcode Fuzzy Hash: ec789efbbef0189a64813faaff9f9b647ffbe18e62b4932d6d4fea28127a3ce6
Instruction Fuzzy Hash: 62B19B75A0021A9FDF24DFA8DD85BAE3BB5FB48314F154229FA15AB2D0DB34E940CB50

Function 00C70D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C71114
Part of subcall function 00C710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71120
Part of subcall function 00C710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C7112F
Part of subcall function 00C710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71136
Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C70DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C70E29
GetLengthSid.ADVAPI32(?), ref: 00C70E40
GetAce.ADVAPI32(?,00000000,?), ref: 00C70E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C70E96
GetLengthSid.ADVAPI32(?), ref: 00C70EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C70EB5
HeapAlloc.KERNEL32(00000000), ref: 00C70EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C70EDD
CopySid.ADVAPI32(00000000), ref: 00C70EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C70F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C70F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C70F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70F6E
HeapFree.KERNEL32(00000000), ref: 00C70F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70F7E
HeapFree.KERNEL32(00000000), ref: 00C70F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70F8E
HeapFree.KERNEL32(00000000), ref: 00C70F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00C70FA1
HeapFree.KERNEL32(00000000), ref: 00C70FA8

Part of subcall function 00C71193: GetProcessHeap.KERNEL32(00000008,00C70BB1,?,00000000,?,00C70BB1,?), ref: 00C711A1
Part of subcall function 00C71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C70BB1,?), ref: 00C711A8
Part of subcall function 00C71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C70BB1,?), ref: 00C711B7

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7f5bb584b72fef82ec10573a069492f0917c533908a339dc98a5c02ca1ac5fcc
Instruction ID: 2844660dddd7b29a36d6e20d3af79d3c051397fe4af869a22a18e3fa1760dd32
Opcode Fuzzy Hash: 7f5bb584b72fef82ec10573a069492f0917c533908a339dc98a5c02ca1ac5fcc
Instruction Fuzzy Hash: E2715B72A0020AEBDF20DFA4DC85FAEBBB8BF05304F148115F969E7191D7719A15CB60

Function 00C9C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CACC08,00000000,?,00000000,?,?), ref: 00C9C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C9C5A4
_wcslen.LIBCMT ref: 00C9C5F4
_wcslen.LIBCMT ref: 00C9C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C9C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C9C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C9C84D
RegCloseKey.ADVAPI32(?), ref: 00C9C881
RegCloseKey.ADVAPI32(00000000), ref: 00C9C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C9C960

Strings

REG_MULTI_SZ, xrefs: 00C9C6F5
REG_DWORD, xrefs: 00C9C804
REG_SZ, xrefs: 00C9C644
REG_BINARY, xrefs: 00C9C913
REG_EXPAND_SZ, xrefs: 00C9C5CD
REG_QWORD, xrefs: 00C9C8C3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 92b46a358b4931e5d12b4721ab5b4860fad4256916aaca03a131ebb407f7b9d0
Instruction ID: aef9daaf552421f2b8e7ee10ab3f11d36551ef1073dbe0d3a4f0dc8ee3c0c4df
Opcode Fuzzy Hash: 92b46a358b4931e5d12b4721ab5b4860fad4256916aaca03a131ebb407f7b9d0
Instruction Fuzzy Hash: EC1278312042019FDB14DF14C895B6AB7E5EF89714F05899CF89A9B3A2DB31FD41EB81

Function 00CA091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA09C6
_wcslen.LIBCMT ref: 00CA0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA0A54
_wcslen.LIBCMT ref: 00CA0A8A
_wcslen.LIBCMT ref: 00CA0B06
_wcslen.LIBCMT ref: 00CA0B81

Part of subcall function 00C2F9F2: _wcslen.LIBCMT ref: 00C2F9FD

Part of subcall function 00C72BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C72BFA

Strings

CHECK, xrefs: 00CA0A85, 00CA0AA0
EXISTS, xrefs: 00CA0B7C, 00CA0B97
GETITEMCOUNT, xrefs: 00CA0C1E
GETTEXT, xrefs: 00CA0C97
COLLAPSE, xrefs: 00CA0B01, 00CA0B1C
ISCHECKED, xrefs: 00CA0CE1
SELECT, xrefs: 00CA0D11
EXPAND, xrefs: 00CA0BF8
GETSELECTED, xrefs: 00CA0C4E
GETTOTALCOUNT, xrefs: 00CA09F2, 00CA0A17
UNCHECK, xrefs: 00CA0D3E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 02787938357308798475753ab6d8d9cc38043b05b44ca0f5edcfa98d1b81755f
Instruction ID: 93c145f0e6eb6e7cc42f9fee53d24bd75a92f64f1bd70dd73ff55337d7f67e74
Opcode Fuzzy Hash: 02787938357308798475753ab6d8d9cc38043b05b44ca0f5edcfa98d1b81755f
Instruction Fuzzy Hash: C8E1B0312083028FC714DF25C45096AB7E2FF9A358F248A5DF8A69B362D731EE45DB81

Function 00C9C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
_wcslen.LIBCMT ref: 00C9C9F1
_wcslen.LIBCMT ref: 00C9CA68
_wcslen.LIBCMT ref: 00C9CA9E
_wcslen.LIBCMT ref: 00C9CAF9
_wcslen.LIBCMT ref: 00C9CB2F
_wcslen.LIBCMT ref: 00C9CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 00C9CAF3, 00C9CAF8
HKCR, xrefs: 00C9CB29, 00C9CB2E
HKU, xrefs: 00C9CBF0
HKEY_CURRENT_USER, xrefs: 00C9CBBD
HKEY_LOCAL_MACHINE, xrefs: 00C9CA62, 00C9CA67
HKCU, xrefs: 00C9CBCE
HKEY_CURRENT_CONFIG, xrefs: 00C9CB79, 00C9CB7E
HKCC, xrefs: 00C9CBAC
HKLM, xrefs: 00C9CA98, 00C9CA9D
HKEY_USERS, xrefs: 00C9CBDF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f59425fb1c330587880c34c170adf3104843c9871ec1bef43117db06200bb7f9
Instruction ID: efce02abb90c35067623be1112106340a05f58c833c9bb3c8481aa2313e101af
Opcode Fuzzy Hash: f59425fb1c330587880c34c170adf3104843c9871ec1bef43117db06200bb7f9
Instruction Fuzzy Hash: DA71053260016A8BCF20DE78CDD56BE3395AB61764F150629F87697284FA30CF81E3A0

Function 00CA833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA835A
_wcslen.LIBCMT ref: 00CA836E
_wcslen.LIBCMT ref: 00CA8391
_wcslen.LIBCMT ref: 00CA83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CA83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CA361A,?), ref: 00CA844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CA8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CA84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CA8501
FreeLibrary.KERNEL32(?), ref: 00CA850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CA851D
DestroyIcon.USER32(?), ref: 00CA852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CA8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CA8555

Strings

.exe, xrefs: 00CA8388
.icl, xrefs: 00CA8368
.dll, xrefs: 00CA83AB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 591b6666dbd1993e9106271b20b004e3d433ad4220c5ab75c0912026f7e9f756
Instruction ID: 320cb0206bb972ff8fbc0009d0e9566b97cb1d4d7336b6c1928f58978f05b749
Opcode Fuzzy Hash: 591b6666dbd1993e9106271b20b004e3d433ad4220c5ab75c0912026f7e9f756
Instruction Fuzzy Hash: 9B61027190020ABFEB14DF64CC85BBE77ACBF0A724F104609F825D61D0EB74AA84D7A0

Function 00C17778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 00C178ED
#include-once, xrefs: 00C1782F
Cannot parse #include, xrefs: 00C55279
#include, xrefs: 00C17847
#notrayicon, xrefs: 00C177E7
#OnAutoItStartRegister, xrefs: 00C17817
#requireadmin, xrefs: 00C177FF
Unterminated group of comments, xrefs: 00C5528C
#pragma compile, xrefs: 00C177D3
Bad directive syntax error, xrefs: 00C5519A
#cs, xrefs: 00C17873, 00C178C5
#comments-start, xrefs: 00C1785F, 00C178B1
", xrefs: 00C55153
', xrefs: 00C55169
#comments-end, xrefs: 00C178D9

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: a7365d88f059aefa1f5464ce5295a87001f2e42523083406d336de5c164d28c9
Instruction ID: df10d9ed2b38cd7402120ea73c2faa75a8f3f6ca9b364e49252391cd844681c5
Opcode Fuzzy Hash: a7365d88f059aefa1f5464ce5295a87001f2e42523083406d336de5c164d28c9
Instruction Fuzzy Hash: 6F810575600605ABDB21AF61DC52FEF3BB8AF16304F044024FD05AA2D2EB70DA95E7E5

Function 00C83E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C83EF8
_wcslen.LIBCMT ref: 00C83F03
_wcslen.LIBCMT ref: 00C83F5A
_wcslen.LIBCMT ref: 00C83F98
GetDriveTypeW.KERNEL32(?), ref: 00C83FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C84059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C84087

Strings

type cdaudio alias cd wait, xrefs: 00C84001
closed, xrefs: 00C83F08, 00C83F2D, 00C83F46, 00C83F7E, 00C83F97
wait, xrefs: 00C84044
set cd door , xrefs: 00C84028
open , xrefs: 00C83FE5
close cd wait, xrefs: 00C84072
close, xrefs: 00C83EFE, 00C83F18
open, xrefs: 00C83F54, 00C83F59

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 54ec5497d80372da3f5bc6ec2eca9677c6685a2be6c78f4577e87162ed4bf9d5
Instruction ID: cc67d97e1ba7b2129a7f9e28207f1bf812ef88f3abc9e3628a041a94a854377d
Opcode Fuzzy Hash: 54ec5497d80372da3f5bc6ec2eca9677c6685a2be6c78f4577e87162ed4bf9d5
Instruction Fuzzy Hash: A471E3716043029FC710EF24C8809ABB7F4EF95758F40492DFAA597251EB31EE45EB91

Function 00C75A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C75A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C75A40
SetWindowTextW.USER32(?,?), ref: 00C75A57
GetDlgItem.USER32(?,000003EA), ref: 00C75A6C
SetWindowTextW.USER32(00000000,?), ref: 00C75A72
GetDlgItem.USER32(?,000003E9), ref: 00C75A82
SetWindowTextW.USER32(00000000,?), ref: 00C75A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C75AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C75AC3
GetWindowRect.USER32(?,?), ref: 00C75ACC
_wcslen.LIBCMT ref: 00C75B33
SetWindowTextW.USER32(?,?), ref: 00C75B6F
GetDesktopWindow.USER32 ref: 00C75B75
GetWindowRect.USER32(00000000), ref: 00C75B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C75BD3
GetClientRect.USER32(?,?), ref: 00C75BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C75C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C75C2F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5081271993cbc065a35dc6ec66285121f8a6a0d1117831e3be27de50ae1670fa
Instruction ID: 629b699b4e3e19c9c5b2598afc6c9c9c3cfd6a60f0df3b77c742de448ce3e4a7
Opcode Fuzzy Hash: 5081271993cbc065a35dc6ec66285121f8a6a0d1117831e3be27de50ae1670fa
Instruction Fuzzy Hash: 1B718131900B09AFDB20DFA9CE85BAEBBF5FF48704F104918E556A35A0D7B5EA44CB50

Function 00C8FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C8FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00C8FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00C8FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00C8FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00C8FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00C8FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00C8FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00C8FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00C8FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00C8FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00C8FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00C8FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00C8FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00C8FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00C8FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00C8FECC
GetCursorInfo.USER32(?), ref: 00C8FEDC
GetLastError.KERNEL32 ref: 00C8FF1E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 58a1ffa45c8ff729bfc1e334a6414ad7d094fccd1906839496d60e2beef865cd
Instruction ID: 4f55e07ffb7f2c1b0a3f21c50fe60b89a651bb31f2f85386e87189ff19927923
Opcode Fuzzy Hash: 58a1ffa45c8ff729bfc1e334a6414ad7d094fccd1906839496d60e2beef865cd
Instruction Fuzzy Hash: AA4161B0D043196ADB10DFBA8C8985EBFE8FF04354B50452AF119E7281DB78E9018F94

Function 00C300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C300C6

Part of subcall function 00C300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00CE070C,00000FA0,3AE2F35E,?,?,?,?,00C523B3,000000FF), ref: 00C3011C
Part of subcall function 00C300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C523B3,000000FF), ref: 00C30127
Part of subcall function 00C300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C523B3,000000FF), ref: 00C30138
Part of subcall function 00C300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C3014E
Part of subcall function 00C300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C3015C
Part of subcall function 00C300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C3016A
Part of subcall function 00C300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C30195
Part of subcall function 00C300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C301A0

___scrt_fastfail.LIBCMT ref: 00C300E7

Part of subcall function 00C300A3: __onexit.LIBCMT ref: 00C300A9

Strings

InitializeConditionVariable, xrefs: 00C30148
SleepConditionVariableCS, xrefs: 00C30154
WakeAllConditionVariable, xrefs: 00C30162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C30122
kernel32.dll, xrefs: 00C30133

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: deb592b73c740bcc8cad521f44a0488b0b979e3ab8237a63cee572e48e46b0a6
Instruction ID: dc6ece1f8418497ab6f2270070478a26bf25bcb62cdbdf7eb51f258f83a26e2c
Opcode Fuzzy Hash: deb592b73c740bcc8cad521f44a0488b0b979e3ab8237a63cee572e48e46b0a6
Instruction Fuzzy Hash: C2213833A507116FE7216FE4AC96B2E33E4EB06B65F20013EF901E7691DFB09C008A90

Function 00C730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C7318D
_wcslen.LIBCMT ref: 00C731F8

Strings

CLASSNN, xrefs: 00C731F3, 00C73204
NAME, xrefs: 00C73335, 00C73346
CLASS, xrefs: 00C73188, 00C731A5
REGEXPCLASS, xrefs: 00C73255, 00C73266
INSTANCE, xrefs: 00C73453
TEXT, xrefs: 00C7347C

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 63ac9a01d1657a3ad7ca3453fe000aadcec2d504ba2169d874b1a502bfd9a511
Instruction ID: 4fc390fe69ecf2fc44b4c771d03ba099afea422f4986e1818d7e50e6a679c811
Opcode Fuzzy Hash: 63ac9a01d1657a3ad7ca3453fe000aadcec2d504ba2169d874b1a502bfd9a511
Instruction Fuzzy Hash: 02E1F632A00556ABCB18DF78C8517EEBBB4BF44710F54C12AE46AB7240DB30AF85B790

Function 00C844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CACC08), ref: 00C84527
_wcslen.LIBCMT ref: 00C8453B
_wcslen.LIBCMT ref: 00C84599
_wcslen.LIBCMT ref: 00C845F4
_wcslen.LIBCMT ref: 00C8463F
_wcslen.LIBCMT ref: 00C846A7

Part of subcall function 00C2F9F2: _wcslen.LIBCMT ref: 00C2F9FD

GetDriveTypeW.KERNEL32(?,00CD6BF0,00000061), ref: 00C84743

Strings

removable, xrefs: 00C845EA, 00C845EF
all, xrefs: 00C84531, 00C84536
ramdisk, xrefs: 00C846F1
unknown, xrefs: 00C84708
network, xrefs: 00C8469D, 00C846A2
fixed, xrefs: 00C84635, 00C8463A
cdrom, xrefs: 00C8458F, 00C84594

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: db74fe15780fa5ed619ab20b41e6db826be47000b2055c2ac5ffb17d4b3502fe
Instruction ID: f6ab543bb81330903e82af0acdbcee9e7f7bde532b73e82030ea571f59842830
Opcode Fuzzy Hash: db74fe15780fa5ed619ab20b41e6db826be47000b2055c2ac5ffb17d4b3502fe
Instruction Fuzzy Hash: F7B126716083039FC718EF28C890A6EB7E5BFA6728F50491DF4A6C7291E730D944DB96

Function 00CA911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

DragQueryPoint.SHELL32(?,?), ref: 00CA9147

Part of subcall function 00CA7674: ClientToScreen.USER32(?,?), ref: 00CA769A
Part of subcall function 00CA7674: GetWindowRect.USER32(?,?), ref: 00CA7710
Part of subcall function 00CA7674: PtInRect.USER32(?,?,00CA8B89), ref: 00CA7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00CA91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CA91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CA91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CA9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00CA923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CA9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00CA9277
DragFinish.SHELL32(?), ref: 00CA927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CA9371

Strings

pE, xrefs: 00CA92BB
@GUI_DROPID, xrefs: 00CA929E
@GUI_DRAGID, xrefs: 00CA92E9
@GUI_DRAGFILE, xrefs: 00CA9320

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pE
API String ID: 221274066-376074056
Opcode ID: 3eab43e114240217e93f5e1db1356bc478af007ac0dd7a030a7f0a74c23b910b
Instruction ID: f340fa3b9d9a7f562813b4643dafe99d0cdad8092e4324f0a27b49054e7c89a0
Opcode Fuzzy Hash: 3eab43e114240217e93f5e1db1356bc478af007ac0dd7a030a7f0a74c23b910b
Instruction Fuzzy Hash: 32617F71108301AFD701DF94DC95EAFBBE8EF8A754F00091EF595931A1DB309A45DB52

Function 00C93FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CACC08), ref: 00C940BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C940CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00CACC08), ref: 00C940F2
FreeLibrary.KERNEL32(00000000,?,00CACC08), ref: 00C9413E
StringFromGUID2.OLE32(?,?,00000028,?,00CACC08), ref: 00C941A8
SysFreeString.OLEAUT32(00000009), ref: 00C94262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C942C8
SysFreeString.OLEAUT32(?), ref: 00C942F2

Strings

kernel32.dll, xrefs: 00C940B6
GetModuleHandleExW, xrefs: 00C940C7

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: a560f222bbe46094f24da11b642d90ecd3116f40c0fc4c70039ef38382731d42
Instruction ID: 8e56d560d019b69a0d488a07f96ea99660a2ae17fb1a6be11fc9fa33efcbe951
Opcode Fuzzy Hash: a560f222bbe46094f24da11b642d90ecd3116f40c0fc4c70039ef38382731d42
Instruction Fuzzy Hash: 61123C75A00115EFDF18CF94C888EAEBBB5FF49318F248098E9159B251D731EE46CBA0

Function 00C1326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00CE1990), ref: 00C52F8D
GetMenuItemCount.USER32(00CE1990), ref: 00C5303D
GetCursorPos.USER32(?), ref: 00C53081
SetForegroundWindow.USER32(00000000), ref: 00C5308A
TrackPopupMenuEx.USER32(00CE1990,00000000,?,00000000,00000000,00000000), ref: 00C5309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C530A9

Strings

0, xrefs: 00C1327D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 9e73d7d1e97314fc5aa7b42ecc75f6d099d87bc111e02d4884aa762f6dfb0b88
Instruction ID: f8d78dd76491d8501dbe58242d26f9e13917a574817d6b82d396b8e455f29db4
Opcode Fuzzy Hash: 9e73d7d1e97314fc5aa7b42ecc75f6d099d87bc111e02d4884aa762f6dfb0b88
Instruction Fuzzy Hash: F5716E34600255BEEB21DF64DC89F9EBFA4FF02368F204206F924661E1C7B1AE94E754

Function 00CA6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00CA6DEB

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CA6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CA6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA6E94
DestroyWindow.USER32(?), ref: 00CA6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C10000,00000000), ref: 00CA6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA6EFD
GetDesktopWindow.USER32 ref: 00CA6F16
GetWindowRect.USER32(00000000), ref: 00CA6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CA6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CA6F4D

Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952

Strings

0, xrefs: 00CA6D98
tooltips_class32, xrefs: 00CA6E58, 00CA6EDD

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e5eb1bb84b3a6f2eb479b38a84bf083fac208f66559ab0e6697f179613b62cde
Instruction ID: d86adaad1d91b6df57930090250a799a0e0131a6fd329c620001859ce7f620d9
Opcode Fuzzy Hash: e5eb1bb84b3a6f2eb479b38a84bf083fac208f66559ab0e6697f179613b62cde
Instruction Fuzzy Hash: 45715874144245AFDB21CF58DC84FAABBE9FB8A308F08051EF999872A1C771AA45DB11

Function 00C8C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C8C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C8C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C8C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C8C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C8C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C8C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C8C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C8C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C8C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C8C5F0
InternetCloseHandle.WININET(00000000), ref: 00C8C5FB

Strings

, xrefs: 00C8C575

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 33b3c52a32e8c866b7b33777e47b1a5cea4066f15159bca8be76418d4d8c1ce6
Instruction ID: 6ad501ce9e8873a833ac2a1e92689d190feff01f6e4a2d812fc46e7d1921f50a
Opcode Fuzzy Hash: 33b3c52a32e8c866b7b33777e47b1a5cea4066f15159bca8be76418d4d8c1ce6
Instruction Fuzzy Hash: 6C513BB1500608BFDB21AF61C9C8BBB7BBCEB09758F004419F955D7650DB34EA44AB74

Function 00CA856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CA8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00CA85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CA85AD
CloseHandle.KERNEL32(00000000), ref: 00CA85BA
GlobalLock.KERNEL32(00000000), ref: 00CA85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CA85D7
GlobalUnlock.KERNEL32(00000000), ref: 00CA85E0
CloseHandle.KERNEL32(00000000), ref: 00CA85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CA85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CAFC38,?), ref: 00CA8611
GlobalFree.KERNEL32(00000000), ref: 00CA8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00CA8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CA8671
DeleteObject.GDI32(00000000), ref: 00CA8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CA86AF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cc9cf16b65e88e12cd5b2e3fd1d7c28602beecd6a3ff87cd97549ca9c752a4e6
Instruction ID: 1ffe2f0452f7b42b5dd65a8ca35e6a6f798675042cb268a55b37665f26dcac73
Opcode Fuzzy Hash: cc9cf16b65e88e12cd5b2e3fd1d7c28602beecd6a3ff87cd97549ca9c752a4e6
Instruction Fuzzy Hash: 02410775600209AFDB119FA5CC88FAE7BB8FF8AB19F104159F915E7260DB309A05CB60

Function 00C814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C81502
VariantCopy.OLEAUT32(?,?), ref: 00C8150B
VariantClear.OLEAUT32(?), ref: 00C81517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00C81657
VariantInit.OLEAUT32(?), ref: 00C81708
SysFreeString.OLEAUT32(?), ref: 00C8178C
VariantClear.OLEAUT32(?), ref: 00C817D8
VariantClear.OLEAUT32(?), ref: 00C817E7
VariantInit.OLEAUT32(00000000), ref: 00C81823

Strings

Default, xrefs: 00C816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00C81625

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 111ff14c344e83893450526a8d091ff917d0b00e973a0c89859f6556af2421b6
Instruction ID: 578080c336b441c3062679b0290ddfb760ce8036f2f7355a43fa7e383d430df2
Opcode Fuzzy Hash: 111ff14c344e83893450526a8d091ff917d0b00e973a0c89859f6556af2421b6
Instruction Fuzzy Hash: A6D10531600119DBDB10AF66E885B7DB7F9BF46708F18806AFC46AB580DB30DD42EB65

Function 00C9B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00C9B80A
RegCloseKey.ADVAPI32(?), ref: 00C9B87E
RegCloseKey.ADVAPI32(?), ref: 00C9B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C9B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C9B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C9B922
FreeLibrary.KERNEL32(00000000), ref: 00C9B983
RegCloseKey.ADVAPI32(00000000), ref: 00C9B994

Strings

RegDeleteKeyExW, xrefs: 00C9B8FE
advapi32.dll, xrefs: 00C9B8ED

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 84f954c0553f23750e674cfe74e9e1b025764a25bffaaf0199cbb780552fcb8e
Instruction ID: 7dbafb7a622aa88fc536aa8fcf835baf4d861a4881fcad9d2c8b205f85bc94fd
Opcode Fuzzy Hash: 84f954c0553f23750e674cfe74e9e1b025764a25bffaaf0199cbb780552fcb8e
Instruction Fuzzy Hash: E5C19E30204201AFDB10DF14D598F2ABBE5FF85308F15859CF5AA4B2A2CB71ED86DB91

Function 00C9255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C925E8
CreateCompatibleDC.GDI32(?), ref: 00C925F4
SelectObject.GDI32(00000000,?), ref: 00C92601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C9266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C926D0
SelectObject.GDI32(?,?), ref: 00C926D8
DeleteObject.GDI32(?), ref: 00C926E1
DeleteDC.GDI32(?), ref: 00C926E8
ReleaseDC.USER32(00000000,?), ref: 00C926F3

Strings

(, xrefs: 00C9268D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 689fda5f3288e50256f411da78bc9afdde8fab9578464bfc7bc985c5813a7c0d
Instruction ID: 60dda1baba4a847382234595482497a9e7cb0f4389b0a6071f432e4d452fbadd
Opcode Fuzzy Hash: 689fda5f3288e50256f411da78bc9afdde8fab9578464bfc7bc985c5813a7c0d
Instruction Fuzzy Hash: 6061E475E00219EFCF05CFA4D984AAEBBF5FF48314F208529E955A7250D770A941DF90

Function 00C4DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C4DAA1

Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D659
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D66B
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D67D
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D68F
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6A1
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6B3
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6C5
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6D7
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6E9
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6FB
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D70D
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D71F
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D731

_free.LIBCMT ref: 00C4DA96

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C4DAB8
_free.LIBCMT ref: 00C4DACD
_free.LIBCMT ref: 00C4DAD8
_free.LIBCMT ref: 00C4DAFA
_free.LIBCMT ref: 00C4DB0D
_free.LIBCMT ref: 00C4DB1B
_free.LIBCMT ref: 00C4DB26
_free.LIBCMT ref: 00C4DB5E
_free.LIBCMT ref: 00C4DB65
_free.LIBCMT ref: 00C4DB82
_free.LIBCMT ref: 00C4DB9A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7a586c190c7a38f96f4f0b8a1e4d92889406a6418c3f1f75c17357e2184dbbe4
Instruction ID: 6a6b1dbf659a48bfbfe750638e9b256610eef0ec29d6ebe81b2caf75d9e200dc
Opcode Fuzzy Hash: 7a586c190c7a38f96f4f0b8a1e4d92889406a6418c3f1f75c17357e2184dbbe4
Instruction Fuzzy Hash: A23170316047059FEB22BA39E846B5A77E9FF10310F55441AF46AD7291DF31EE80E720

Function 00C7365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C7369C
_wcslen.LIBCMT ref: 00C736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C73797
GetClassNameW.USER32(?,?,00000400), ref: 00C7380C
GetDlgCtrlID.USER32(?), ref: 00C7385D
GetWindowRect.USER32(?,?), ref: 00C73882
GetParent.USER32(?), ref: 00C738A0
ScreenToClient.USER32(00000000), ref: 00C738A7
GetClassNameW.USER32(?,?,00000100), ref: 00C73921
GetWindowTextW.USER32(?,?,00000400), ref: 00C7395D

Strings

%s%u, xrefs: 00C73734

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 212ad9d4ef94725f2f15dc11627f7572663d611d24247f57b1a034da9c919a49
Instruction ID: c8fc642e309b90861957ddb370a27d14f283ea504a7f3fbac825ab68928e8970
Opcode Fuzzy Hash: 212ad9d4ef94725f2f15dc11627f7572663d611d24247f57b1a034da9c919a49
Instruction Fuzzy Hash: 0091BF71204646AFD719DF24C885BAAF7A8FF44354F00C629FAADD2190DB30EB45DBA1

Function 00C74954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C74994
GetWindowTextW.USER32(?,?,00000400), ref: 00C749DA
_wcslen.LIBCMT ref: 00C749EB
CharUpperBuffW.USER32(?,00000000), ref: 00C749F7
_wcsstr.LIBVCRUNTIME ref: 00C74A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C74A64
GetWindowTextW.USER32(?,?,00000400), ref: 00C74A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C74AE6
GetClassNameW.USER32(?,?,00000400), ref: 00C74B20
GetWindowRect.USER32(?,?), ref: 00C74B8B

Strings

ThumbnailClass, xrefs: 00C74A6F, 00C74AF1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f3fda545cef709739035f171468c5c6e480d5980847bb3d79bfbfd68ae86569c
Instruction ID: e6ec6619e052fbc965b7fa7ed5db851164746e3ff46e20486ff06b0be274f062
Opcode Fuzzy Hash: f3fda545cef709739035f171468c5c6e480d5980847bb3d79bfbfd68ae86569c
Instruction Fuzzy Hash: 3791DE311042059FDB09DF14C985FAAB7E8FF84314F04C46AFD999A096EB30EE45DBA1

Function 00C7BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00CE1990,000000FF,00000000,00000030), ref: 00C7BFAC
SetMenuItemInfoW.USER32(00CE1990,00000004,00000000,00000030), ref: 00C7BFE1
Sleep.KERNEL32(000001F4), ref: 00C7BFF3
GetMenuItemCount.USER32(?), ref: 00C7C039
GetMenuItemID.USER32(?,00000000), ref: 00C7C056
GetMenuItemID.USER32(?,-00000001), ref: 00C7C082
GetMenuItemID.USER32(?,?), ref: 00C7C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C7C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C7C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C7C145

Strings

0, xrefs: 00C7BF3D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 29d8ea97299ffd4e9b7c3aa5cda5014bf45fe16769e9e45a697fdd7d4311802c
Instruction ID: d87e45b06a040b319179fe10ffa8c2d51e68b1821a9fec77ab8058bd6bc577c9
Opcode Fuzzy Hash: 29d8ea97299ffd4e9b7c3aa5cda5014bf45fe16769e9e45a697fdd7d4311802c
Instruction Fuzzy Hash: D36181B0900246AFDF11CF64DDC8BEE7BB8EB05344F448069F829A3291D735AE55DBA0

Function 00C9CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C9CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C9CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C9CD48

Part of subcall function 00C9CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C9CCAA
Part of subcall function 00C9CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C9CCBD
Part of subcall function 00C9CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C9CCCF
Part of subcall function 00C9CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C9CD05
Part of subcall function 00C9CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C9CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C9CCF3

Strings

RegDeleteKeyExW, xrefs: 00C9CCC9
advapi32.dll, xrefs: 00C9CCB8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 6722d6172f1897dbd40edaefc16621697a5eaef7f66158883e1b421975253819
Instruction ID: a905bf10e1819524fcdea12ec4d076c2d4db75ed44ab4519549080ccba34fb3a
Opcode Fuzzy Hash: 6722d6172f1897dbd40edaefc16621697a5eaef7f66158883e1b421975253819
Instruction Fuzzy Hash: 33315A72A01129BBDB208B95DCCCFFFBB7CEF46754F000165E916E3240DA349A45AAA0

Function 00C83D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C83D40
_wcslen.LIBCMT ref: 00C83D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C83D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C83DBE
RemoveDirectoryW.KERNEL32(?), ref: 00C83DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C83E55
CloseHandle.KERNEL32(00000000), ref: 00C83E60
CloseHandle.KERNEL32(00000000), ref: 00C83E6B

Strings

:, xrefs: 00C83D82
\, xrefs: 00C83D77
\??\%s, xrefs: 00C83D5B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b949715484b8aa82e9e19e7c593f09f7dce30f2154ee56270ca11034925845a1
Instruction ID: 6583d6a8da25c6bc06c0efb22ab7983ba91bea6fea967678d3fd699dcdf7a22f
Opcode Fuzzy Hash: b949715484b8aa82e9e19e7c593f09f7dce30f2154ee56270ca11034925845a1
Instruction Fuzzy Hash: 2B31D471A10249ABDB21AFA0DC88FEF37BCEF89B04F1041B6F915D6160EB7497448B24

Function 00C7E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C7E6B4

Part of subcall function 00C2E551: timeGetTime.WINMM(?,?,00C7E6D4), ref: 00C2E555

Sleep.KERNEL32(0000000A), ref: 00C7E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C7E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C7E727
SetActiveWindow.USER32 ref: 00C7E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C7E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C7E773
Sleep.KERNEL32(000000FA), ref: 00C7E77E
IsWindow.USER32 ref: 00C7E78A
EndDialog.USER32(00000000), ref: 00C7E79B

Strings

BUTTON, xrefs: 00C7E719

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8a54efd2d907f33047ea16b0b064b2578400f35fe1fe094da5b3de1a18dec356
Instruction ID: 2a3e38cae76345f5b234d2deb4d795bcd7507f94f76381b4705683ee6376d165
Opcode Fuzzy Hash: 8a54efd2d907f33047ea16b0b064b2578400f35fe1fe094da5b3de1a18dec356
Instruction Fuzzy Hash: D1218172200685AFEB009F64ECC9B2D3B6DF75A34DB109465F919C61B1DBB1AD10AB24

Function 00C7E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C7EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C7EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C7EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C7EAA7

Strings

open , xrefs: 00C7EA0C
play PlayMe, xrefs: 00C7EAA2
close PlayMe, xrefs: 00C7EA6E, 00C7EA9B
alias PlayMe, xrefs: 00C7EA36
play PlayMe wait, xrefs: 00C7EA91
status PlayMe mode, xrefs: 00C7EA58

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ca4f23a76d418289fe5c36651e9316831f2e909b810548123d53036849237fe3
Instruction ID: a7c514e042fcbb74b104ea568616d60112e44c5bc082ac0512481c69173079a7
Opcode Fuzzy Hash: ca4f23a76d418289fe5c36651e9316831f2e909b810548123d53036849237fe3
Instruction Fuzzy Hash: 6111A331A9026979D720E7A1DC5AEFF6B7CFBD6B10F40043AB911A21D0EE701A45E5B0

Function 00C79F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C7A012
SetKeyboardState.USER32(?), ref: 00C7A07D
GetAsyncKeyState.USER32(000000A0), ref: 00C7A09D
GetKeyState.USER32(000000A0), ref: 00C7A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00C7A0E3
GetKeyState.USER32(000000A1), ref: 00C7A0F4
GetAsyncKeyState.USER32(00000011), ref: 00C7A120
GetKeyState.USER32(00000011), ref: 00C7A12E
GetAsyncKeyState.USER32(00000012), ref: 00C7A157
GetKeyState.USER32(00000012), ref: 00C7A165
GetAsyncKeyState.USER32(0000005B), ref: 00C7A18E
GetKeyState.USER32(0000005B), ref: 00C7A19C

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 920f95075aa82910c0af466f95aec268054a540b5d9206ffa5bf1c2b3f70a513
Instruction ID: 567ea62cbb5ddd1e824a7e1a4690ed05f2c39aeeeef6ac44efe0b21e4148fa84
Opcode Fuzzy Hash: 920f95075aa82910c0af466f95aec268054a540b5d9206ffa5bf1c2b3f70a513
Instruction Fuzzy Hash: EF510930A047886AFB35DBB088117EEBFB49F42380F48C589D5DA571C3DA64AB4CC762

Function 00C75CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C75CE2
GetWindowRect.USER32(00000000,?), ref: 00C75CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C75D59
GetDlgItem.USER32(?,00000002), ref: 00C75D69
GetWindowRect.USER32(00000000,?), ref: 00C75D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C75DCF
GetDlgItem.USER32(?,000003E9), ref: 00C75DDD
GetWindowRect.USER32(00000000,?), ref: 00C75DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C75E31
GetDlgItem.USER32(?,000003EA), ref: 00C75E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C75E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C75E67

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 345eae9145b27f7177b5678c9ae203741df98884f4669f71539e27a0cb0fedd2
Instruction ID: 7bf9606649955f02c433e94f2a2befbd22d74fcae37cf4c208012aa9e3fe7c3b
Opcode Fuzzy Hash: 345eae9145b27f7177b5678c9ae203741df98884f4669f71539e27a0cb0fedd2
Instruction Fuzzy Hash: 4751FCB1A00609AFDB18CF68DD89BAEBBB5FB48304F148129F919E7290D7709E04CB50

Function 00C28BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C28BE8,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C28FC5

DestroyWindow.USER32(?), ref: 00C28C81
KillTimer.USER32(00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C28D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C66973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C28BBA,00000000), ref: 00C669D4
DeleteObject.GDI32(00000000), ref: 00C669E6

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 878d2236889c28def3ee0062efcce7198f7d29a820c5d6a395cb46c4ec2c65c8
Instruction ID: e275035b53e19a08f8c6f69369cb69bdfdb41530ead4e55965608bf09897142d
Opcode Fuzzy Hash: 878d2236889c28def3ee0062efcce7198f7d29a820c5d6a395cb46c4ec2c65c8
Instruction Fuzzy Hash: 1F61DE31102660DFCB319F15EA88B2DB7F1FB41316F18451CE4529B9A1CB35AEA8DF90

Function 00C29838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952

GetSysColor.USER32(0000000F), ref: 00C29862

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 74e8f57b13ea6391be7c2063f9e78262124b49dcac3a33a3daa460d5b5abd0eb
Instruction ID: c4b058898274c53da6d7692891be58e32671e8e4c34b0520e5c188438fd015d9
Opcode Fuzzy Hash: 74e8f57b13ea6391be7c2063f9e78262124b49dcac3a33a3daa460d5b5abd0eb
Instruction Fuzzy Hash: 42418031504650AFDB249F38AC88BBD3BA5EB17334F184655FAB68B2E1D7319D42DB10

Function 00C83388 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C833CF

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C833F0

Strings

Incorrect parameters to object property !, xrefs: 00C834AB
^ ERROR , xrefs: 00C8349E
GpE, xrefs: 00C83388
"%s" (%d) : ==> %s:%s%s, xrefs: 00C83504
Line %d (File "%s"):, xrefs: 00C83443, 00C8345C
"%s" (%d) : ==> %s:, xrefs: 00C83522
Error: , xrefs: 00C834D1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$GpE$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-4243851318
Opcode ID: a14a339ee8d8720190431e67f15065f0b2abe6042744e2e14a0a955dbc6dba7d
Instruction ID: 59c7ac9a7e28bf1e840823d4acd5e7437b9d81d964af3d4be3486d3fb9bf636f
Opcode Fuzzy Hash: a14a339ee8d8720190431e67f15065f0b2abe6042744e2e14a0a955dbc6dba7d
Instruction Fuzzy Hash: 8351AC71900249AADF14EBA0CD92EEEB778EF05744F144066F509721A2EB312F98FB60

Function 00C796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C79717
LoadStringW.USER32(00000000,?,00C5F7F8,00000001), ref: 00C79720

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C79742
LoadStringW.USER32(00000000,?,00C5F7F8,00000001), ref: 00C79745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C79866

Strings

Line %d (File "%s"):, xrefs: 00C7978F
%s (%d) : ==> %s: %s %s, xrefs: 00C7984A
^ ERROR, xrefs: 00C797FB
Line %d:, xrefs: 00C797A0
Error: , xrefs: 00C7981D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 2d9d8c3ba8fb0f24886e9edef65520cc5c0ffbc0c55692d71d4936828ee31492
Instruction ID: 5df18d39f75666573171133f81256eeee682000752cd680f28badc681bb8546d
Opcode Fuzzy Hash: 2d9d8c3ba8fb0f24886e9edef65520cc5c0ffbc0c55692d71d4936828ee31492
Instruction Fuzzy Hash: BA415371800109AADB04EBD0CD96EEE7778EF56344F504025F605720A1EB356F89EB61

Function 00C706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C70804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C7082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C70837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C7083C

Strings

\IPC$, xrefs: 00C70784
\CLSID, xrefs: 00C70724
SOFTWARE\Classes\, xrefs: 00C7070E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: b94a83fd571a687d4e8da71ac219e29798f64014874275ca99f4ccdb46c5273e
Instruction ID: 49098b4d2aa2fddd8ca0137db67d7b47b794ac9d87ad3d316560e9afd4556b4c
Opcode Fuzzy Hash: b94a83fd571a687d4e8da71ac219e29798f64014874275ca99f4ccdb46c5273e
Instruction Fuzzy Hash: 65413872C10228EBDF15EBA4DC95DEDB778FF05354F14412AE915A31A0EB30AE45EBA0

Function 00CA3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CA403B
CreateCompatibleDC.GDI32(00000000), ref: 00CA4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CA4055
SelectObject.GDI32(00000000,00000000), ref: 00CA405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CA4068
DeleteDC.GDI32(00000000), ref: 00CA4072
GetWindowLongW.USER32(?,000000EC), ref: 00CA407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00CA4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00CA409E

Strings

static, xrefs: 00CA3FD3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e5160b163532744e5b3ac05cdc8737e9091262f78e0e1f8f105916060eca90c0
Instruction ID: 0510077958a3c29f502f0b31a625cb516eb51e344f61da0951e7bf5b37da3037
Opcode Fuzzy Hash: e5160b163532744e5b3ac05cdc8737e9091262f78e0e1f8f105916060eca90c0
Instruction Fuzzy Hash: 48316E3250121AAFDF219FA4DC49FDE3BA8EF0E328F110211FA25E61A0C775D950EB94

Function 00C93C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C93C5C
CoInitialize.OLE32(00000000), ref: 00C93C8A
CoUninitialize.OLE32 ref: 00C93C94
_wcslen.LIBCMT ref: 00C93D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00C93DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C93ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C93F0E
CoGetObject.OLE32(?,00000000,00CAFB98,?), ref: 00C93F2D
SetErrorMode.KERNEL32(00000000), ref: 00C93F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C93FC4
VariantClear.OLEAUT32(?), ref: 00C93FD8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 01f840746c1dbae1b0c6bc7b8ad4e9145ecd7a194db7e422ca5fcded27130512
Instruction ID: 72d81d80778eb961253ffd01371ee3c4760cf889bb47a747c3a6247f8db6d95b
Opcode Fuzzy Hash: 01f840746c1dbae1b0c6bc7b8ad4e9145ecd7a194db7e422ca5fcded27130512
Instruction Fuzzy Hash: 02C146716083459FDB00DF68C88892BB7E9FF89748F10495DF99A9B250DB30EE45CB52

Function 00C87A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C87AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C87B8F
SHGetDesktopFolder.SHELL32(?), ref: 00C87BA3
CoCreateInstance.OLE32(00CAFD08,00000000,00000001,00CD6E6C,?), ref: 00C87BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C87C74
CoTaskMemFree.OLE32(?,?), ref: 00C87CCC
SHBrowseForFolderW.SHELL32(?), ref: 00C87D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C87D7A
CoTaskMemFree.OLE32(00000000), ref: 00C87D81
CoTaskMemFree.OLE32(00000000), ref: 00C87DD6
CoUninitialize.OLE32 ref: 00C87DDC

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ded116ad01b8fbfa14c191d6429f437e67184ec84632fabed18320bea6456f87
Instruction ID: 829813c51877d6e04293407057d96a755dfbbd91e56fec1fa819b45cb40fd5b0
Opcode Fuzzy Hash: ded116ad01b8fbfa14c191d6429f437e67184ec84632fabed18320bea6456f87
Instruction Fuzzy Hash: EBC11C75A04109AFCB14DF64C888DAEBBF9FF49308B148599F8199B361D730EE81DB94

Function 00CA541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CA5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA5515
CharNextW.USER32(00000158), ref: 00CA5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CA5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CA559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA55AC

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a350eff7a0b8690eea8a47f783445c3ca02c8bf74f50abff32c2d342338b1e3f
Instruction ID: 98758c65d8e06e5ad5483114f2a9b277d7ca06fc5aa90e10e1f631f99587f384
Opcode Fuzzy Hash: a350eff7a0b8690eea8a47f783445c3ca02c8bf74f50abff32c2d342338b1e3f
Instruction Fuzzy Hash: A461727190060AEBDF10CFA5CC84AFE7BB9EB0B728F148145F9259B290D7748A81DB60

Function 00C6FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C6FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C6FB08
VariantInit.OLEAUT32(?), ref: 00C6FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C6FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C6FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C6FBA1
VariantClear.OLEAUT32(?), ref: 00C6FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C6FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C6FBCC
VariantClear.OLEAUT32(?), ref: 00C6FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C6FBE9

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 550fc13d046008b807ca374c59f412979889887474f0c90880871fc3192f7d67
Instruction ID: 7b0361a5a22df591040135abe1e9eac198323296b03818636a876129ef69d2b5
Opcode Fuzzy Hash: 550fc13d046008b807ca374c59f412979889887474f0c90880871fc3192f7d67
Instruction Fuzzy Hash: 04414175A002199FCB10DFA8D898AFDBBB9FF49344F008069E955A7261CB30A946DF94

Function 00C79C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C79CA1
GetAsyncKeyState.USER32(000000A0), ref: 00C79D22
GetKeyState.USER32(000000A0), ref: 00C79D3D
GetAsyncKeyState.USER32(000000A1), ref: 00C79D57
GetKeyState.USER32(000000A1), ref: 00C79D6C
GetAsyncKeyState.USER32(00000011), ref: 00C79D84
GetKeyState.USER32(00000011), ref: 00C79D96
GetAsyncKeyState.USER32(00000012), ref: 00C79DAE
GetKeyState.USER32(00000012), ref: 00C79DC0
GetAsyncKeyState.USER32(0000005B), ref: 00C79DD8
GetKeyState.USER32(0000005B), ref: 00C79DEA

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6e77883cd58d345d4cc3a348f287678ce68dea2ee526c5ca91f61e308404e63d
Instruction ID: 7fa7026c67827200eb6f8cb52d1aac8a917bba2afda696509dd9d41860039d10
Opcode Fuzzy Hash: 6e77883cd58d345d4cc3a348f287678ce68dea2ee526c5ca91f61e308404e63d
Instruction Fuzzy Hash: 7641A834504BC96DFF31966488443B5BEA1EF22344F08C05ADADA575C2EBB59BC8C792

Function 00C9055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C905BC
inet_addr.WSOCK32(?), ref: 00C9061C
gethostbyname.WSOCK32(?), ref: 00C90628
IcmpCreateFile.IPHLPAPI ref: 00C90636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00C907B9
WSACleanup.WSOCK32 ref: 00C907BF

Strings

Ping, xrefs: 00C90676

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: dd54968f91952350f690c1348937e7e297ca8aa090b7b12375688c035c2fedb6
Instruction ID: 659d987caf52861a2c086655fb19326dd19638c6189db6aef74a8f9165639b7e
Opcode Fuzzy Hash: dd54968f91952350f690c1348937e7e297ca8aa090b7b12375688c035c2fedb6
Instruction Fuzzy Hash: D5917C35604201AFDB20DF55D888F1ABBE0AF45328F2585A9F4698B6A2C730ED85CF91

Function 00C98CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00C98CF3

Part of subcall function 00C78E54: _wcslen.LIBCMT ref: 00C78E77

_wcslen.LIBCMT ref: 00C98D4E
_wcslen.LIBCMT ref: 00C98D9C
_wcslen.LIBCMT ref: 00C98DDC
_wcslen.LIBCMT ref: 00C98E6E

Strings

stdcall, xrefs: 00C98DD6, 00C98DDB
none, xrefs: 00C98E65, 00C98E6A
cdecl, xrefs: 00C98D48, 00C98D4D
winapi, xrefs: 00C98D96, 00C98D9B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4c4395deb71ac892af65ef6e9e1f1b88efa659c3e3243d18fd6a1095db3f4d37
Instruction ID: fcc99781b443433e0e62888ef2407a8ea24deaaa3865e157a68ed44b4b619980
Opcode Fuzzy Hash: 4c4395deb71ac892af65ef6e9e1f1b88efa659c3e3243d18fd6a1095db3f4d37
Instruction Fuzzy Hash: 2751C136A001169BCF14DF68C8549BEB3A5BF66720B204229F526E73C4EB35DE48D790

Function 00C9372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00C93774
CoUninitialize.OLE32 ref: 00C9377F
CoCreateInstance.OLE32(?,00000000,00000017,00CAFB78,?), ref: 00C937D9
IIDFromString.OLE32(?,?), ref: 00C9384C
VariantInit.OLEAUT32(?), ref: 00C938E4
VariantClear.OLEAUT32(?), ref: 00C93936

Strings

Failed to create object, xrefs: 00C937E4, 00C9389A
Invalid parameter, xrefs: 00C93865
NULL Pointer assignment, xrefs: 00C9381E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: b4d4658d739cee0dae0ba35679774e89e1a9c77f2dcf2dd27a8a89a1c0105718
Instruction ID: 73cd9988ca55e7a141b21d747548fa6ce3e152b506b77e1cf6f7bb12eae4e49e
Opcode Fuzzy Hash: b4d4658d739cee0dae0ba35679774e89e1a9c77f2dcf2dd27a8a89a1c0105718
Instruction Fuzzy Hash: 1661CE70208341AFDB10DF54C88CB6ABBE8EF49714F10091AF9959B291D770EE48DB96

Function 00C7B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C7B5FC
_wcslen.LIBCMT ref: 00C7B608
_wcslen.LIBCMT ref: 00C7B64D
_wcslen.LIBCMT ref: 00C7B68C
_wcslen.LIBCMT ref: 00C7B6C7

Strings

EXISTS, xrefs: 00C7B686, 00C7B68B
KEYS, xrefs: 00C7B647, 00C7B64C
APPEND, xrefs: 00C7B6C1, 00C7B6C6
REMOVE, xrefs: 00C7B602, 00C7B607

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 64b1185641e179dfbdf143d03354c5dac93fa7ff5e90d2e9875b2b35278b73aa
Instruction ID: a95f5fa7ef181c713d1075588e4d0887c0d2fa84e0e593dfe9a41148ee55a2d4
Opcode Fuzzy Hash: 64b1185641e179dfbdf143d03354c5dac93fa7ff5e90d2e9875b2b35278b73aa
Instruction Fuzzy Hash: 9841D832A001269ACB146F7D88907BE77B5AF61764B258129F639D7284E735CE81C790

Function 00C7BC5E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C7BCFD
IsMenu.USER32(00000000), ref: 00C7BD1D
CreatePopupMenu.USER32 ref: 00C7BD53
GetMenuItemCount.USER32(pm), ref: 00C7BDA4
InsertMenuItemW.USER32(pm,?,00000001,00000030), ref: 00C7BDCC

Strings

pm, xrefs: 00C7BD2B, 00C7BDA3
2, xrefs: 00C7BD37
pm, xrefs: 00C7BCE3, 00C7BCBC, 00C7BDCA
0, xrefs: 00C7BCA8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2$pm$pm
API String ID: 93392585-452916894
Opcode ID: c6026f92ba96bde6e91278721007c04eec4d1a5ed3951e037e1bbd04fea28e60
Instruction ID: 2c7828588ef46e1aefbac78fb2c6b9850165b144f641617b221f6cb88bf0886f
Opcode Fuzzy Hash: c6026f92ba96bde6e91278721007c04eec4d1a5ed3951e037e1bbd04fea28e60
Instruction Fuzzy Hash: 8C519E70A002059FDB21CFA9D8C4BAEBBF8AF65314F14C119F429D7299E770AE40CB51

Function 00C85393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C85416
GetLastError.KERNEL32 ref: 00C85420
SetErrorMode.KERNEL32(00000000,READY), ref: 00C854A7

Strings

READY, xrefs: 00C85460, 00C85468
INVALID, xrefs: 00C85459
NOTREADY, xrefs: 00C8544B
READONLY, xrefs: 00C85452
UNKNOWN, xrefs: 00C85444

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1c26a69b5c6433bfa66afe46abbbb63e362678460a011b17f42220aa5dbd954f
Instruction ID: 687e9efe11da535c230dd8b0acb7b2b9b87bbe2cf5d763936f6473c05653c412
Opcode Fuzzy Hash: 1c26a69b5c6433bfa66afe46abbbb63e362678460a011b17f42220aa5dbd954f
Instruction Fuzzy Hash: D231A375A006049FDB10EF68C484BAE7BF4EF85309F14806AE515CB392DBB1DE86DB90

Function 00CA3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CA3C79
SetMenu.USER32(?,00000000), ref: 00CA3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA3D10
IsMenu.USER32(?), ref: 00CA3D24
CreatePopupMenu.USER32 ref: 00CA3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA3D5B
DrawMenuBar.USER32 ref: 00CA3D63

Strings

F, xrefs: 00CA3D4E
0, xrefs: 00CA3C54

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: c89dec56ebc5cbd39ee45d1a5747405ddb136479c3b0d52b754f7a5482ed0a31
Instruction ID: d754f2b1a928512efc728393e9351a7100c0340ce9e21bd9e756bdc07ba05c66
Opcode Fuzzy Hash: c89dec56ebc5cbd39ee45d1a5747405ddb136479c3b0d52b754f7a5482ed0a31
Instruction Fuzzy Hash: FE418A75A0120AEFDB14CF64D898BEE7BB5FF4A358F140029F916A7360D730AA10DB90

Function 00C71EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C71F64
GetDlgCtrlID.USER32 ref: 00C71F6F
GetParent.USER32 ref: 00C71F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C71F8E
GetDlgCtrlID.USER32(?), ref: 00C71F97
GetParent.USER32(?), ref: 00C71FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C71FAE

Strings

ListBox, xrefs: 00C71F21
ComboBox, xrefs: 00C71EEC

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e17627c4d07e3cbc4800709bc3b36fc45c680ee99580562bbfb16d874a974485
Instruction ID: d4e6b5a8851bbfe87fa5578aef910230097738082b8a104e9c2a6539c484dbb7
Opcode Fuzzy Hash: e17627c4d07e3cbc4800709bc3b36fc45c680ee99580562bbfb16d874a974485
Instruction Fuzzy Hash: 2221B070A00214BBCF05EFE4CC95AEEBBB8EF06350F104116F965672D1CB345914AB60

Function 00C71FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C72043
GetDlgCtrlID.USER32 ref: 00C7204E
GetParent.USER32 ref: 00C7206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C7206D
GetDlgCtrlID.USER32(?), ref: 00C72076
GetParent.USER32(?), ref: 00C7208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C7208D

Strings

ListBox, xrefs: 00C72002
ComboBox, xrefs: 00C71FCD

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 30d8d16add0d496867e0f4a251d119c4e62e7cb0be692f289cf4099778b8dc9a
Instruction ID: ea914798cfbe84e64639c3e9c6e57b5cd894a6339cc525c7333bacc5a095d862
Opcode Fuzzy Hash: 30d8d16add0d496867e0f4a251d119c4e62e7cb0be692f289cf4099778b8dc9a
Instruction Fuzzy Hash: C5219F75A00214BBDF11EFA0CC95FEEBFB8EF06344F004016B995A72A1DA754954EB60

Function 00CA3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CA3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CA3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00CA3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CA3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CA3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CA3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CA3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CA3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CA3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CA3C13

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: bb75d45a8a6bdf956c3db4fc7d36b1b578d5cd740d30422ce77cf7a7d2afb65c
Instruction ID: b24e242a5af7e021f4ed7bd53f76d647d5fc8e63795c0a2f53e22243eb3e5ed9
Opcode Fuzzy Hash: bb75d45a8a6bdf956c3db4fc7d36b1b578d5cd740d30422ce77cf7a7d2afb65c
Instruction Fuzzy Hash: 1E617D75900249AFDB10DFA4CC91FEE77B8EB0A718F140199FA15A7291C770AE41DB60

Function 00C7B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C7B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B165
GetWindowThreadProcessId.USER32(00000000), ref: 00C7B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B21D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a18eff551d593416754ad63eec5ab872c8bd661b45735e5905f3b072bafe3d73
Instruction ID: 00ed2143544123f13f93befdc49ca51ffb7a425a282f27cdf7b671a591a92c96
Opcode Fuzzy Hash: a18eff551d593416754ad63eec5ab872c8bd661b45735e5905f3b072bafe3d73
Instruction Fuzzy Hash: 4F318D75500248BFDB10DF64DCC8BAE7BAABB52365F108415FA29DB191D7B8AF408F60

Function 00C42C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C42C94

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C42CA0
_free.LIBCMT ref: 00C42CAB
_free.LIBCMT ref: 00C42CB6
_free.LIBCMT ref: 00C42CC1
_free.LIBCMT ref: 00C42CCC
_free.LIBCMT ref: 00C42CD7
_free.LIBCMT ref: 00C42CE2
_free.LIBCMT ref: 00C42CED
_free.LIBCMT ref: 00C42CFB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 207fdcf16463c1253bbb35480facc6dd79e20e2929c5767799fc778d761c133a
Instruction ID: 087b1d99bcd284e0be25c70e43f2be8ebe240f51b084850040c20506c9e4ff83
Opcode Fuzzy Hash: 207fdcf16463c1253bbb35480facc6dd79e20e2929c5767799fc778d761c133a
Instruction Fuzzy Hash: A511B376100108BFDB02EF95D883CDD3BA9FF15350F9144A5FA489F222DA31EE50AB90

Function 00C87DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C87FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C87FC1
GetFileAttributesW.KERNEL32(?), ref: 00C87FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C88005
SetCurrentDirectoryW.KERNEL32(?), ref: 00C88017
SetCurrentDirectoryW.KERNEL32(?), ref: 00C88060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C880B0

Strings

*.*, xrefs: 00C88066

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: d6126d18e878b4100141a2a6641c76747b33092d856233d6eaf98d5eab8c8191
Instruction ID: 1ce880cb4faaf175f275de64010b958c5d46e5e41388156aca32179d5942dcd1
Opcode Fuzzy Hash: d6126d18e878b4100141a2a6641c76747b33092d856233d6eaf98d5eab8c8191
Instruction Fuzzy Hash: 1C81C1725082019FCB20FF55C484AAEB3E8BF89318F64495EF899C7250EB34DE49DB56

Function 00C15BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C15C7A

Part of subcall function 00C15D0A: GetClientRect.USER32(?,?), ref: 00C15D30
Part of subcall function 00C15D0A: GetWindowRect.USER32(?,?), ref: 00C15D71
Part of subcall function 00C15D0A: ScreenToClient.USER32(?,?), ref: 00C15D99

GetDC.USER32 ref: 00C546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C54708
SelectObject.GDI32(00000000,00000000), ref: 00C54716
SelectObject.GDI32(00000000,00000000), ref: 00C5472B
ReleaseDC.USER32(?,00000000), ref: 00C54733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C547C4

Strings

U, xrefs: 00C54693

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8fdf0554f8a12b4da143b9e2180e1fda7e98058257ce33448ecc21c74935aaec
Instruction ID: 4278cf76160064294e5b95779ddeda37ba2f25251e521c6cd511628ad9d2a0cf
Opcode Fuzzy Hash: 8fdf0554f8a12b4da143b9e2180e1fda7e98058257ce33448ecc21c74935aaec
Instruction Fuzzy Hash: 9A71D239400205DFCF298F64C984BEA3BB1FF4A35AF144265FD655A1A6C73089D5EF50

Function 00C8359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C835E4

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

LoadStringW.USER32(00CE2390,?,00000FFF,?), ref: 00C8360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C83724
Line %d (File "%s"):, xrefs: 00C8366B
"%s" (%d) : ==> %s:, xrefs: 00C83742
^ ERROR, xrefs: 00C836C9
Error: , xrefs: 00C836EF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 94d1e2e060d51aed39a2478a6b06352bbaaf421d8142c80f00dcb878d13e6cdd
Instruction ID: 3d56f9a7c357d13eed1afdb36196e3a84f283064c5912e081cfbc445921151d9
Opcode Fuzzy Hash: 94d1e2e060d51aed39a2478a6b06352bbaaf421d8142c80f00dcb878d13e6cdd
Instruction Fuzzy Hash: 2F517C71900249AADF14EBA0CD92EEEBB38EF05714F444125F615721A1EB306BD9FBA4

Function 00C8C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C8C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C8C2CA
GetLastError.KERNEL32 ref: 00C8C322
SetEvent.KERNEL32(?), ref: 00C8C336
InternetCloseHandle.WININET(00000000), ref: 00C8C341

Strings

, xrefs: 00C8C2BB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ed741bc27f4c6564e2f885e80937a9beba1589095ce8c7123f0a41f1e70876a9
Instruction ID: acd80eeffbfb9ef2759b601fa84571b321e498aad94bbb7fe3f998e9e4e2d19e
Opcode Fuzzy Hash: ed741bc27f4c6564e2f885e80937a9beba1589095ce8c7123f0a41f1e70876a9
Instruction Fuzzy Hash: B1316BB1600608AFD721AFA598C8BAB7BFCEB4A748B10851EF456D3250DB34DE059B74

Function 00C7989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C53AAF,?,?,Bad directive syntax error,00CACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C798BC
LoadStringW.USER32(00000000,?,00C53AAF,?), ref: 00C798C3

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C79987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00C798F1
., xrefs: 00C7996D
Line %d (File "%s"):, xrefs: 00C7992D
Line %d:, xrefs: 00C79912
Error: , xrefs: 00C79955

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: c47b05dae26b2c9af6842d4e9ab23098c721bb1bfbccb2b747df1e59e9c14d69
Instruction ID: 38c1c07f5a12a2dd4208094548cd5fcc4386e03a94e9abae452c7ffe74779806
Opcode Fuzzy Hash: c47b05dae26b2c9af6842d4e9ab23098c721bb1bfbccb2b747df1e59e9c14d69
Instruction Fuzzy Hash: 1B219F3194021EABDF11EF90CC56EEE7775FF19304F04446AF619620A2EB71A658FB50

Function 00C7209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C7214D

Strings

list, xrefs: 00C7212F
SHELLDLL_DefView, xrefs: 00C720CC
smallicons, xrefs: 00C72115
details, xrefs: 00C720FB
largeicons, xrefs: 00C720E1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 5b6da6b951882f54b0f608cac06db99b046900c0e33308f9923cf85252afffc3
Instruction ID: f70d2c4c38da9a05c22cb591a716ef7f677d4ab40e34257519503ab6d94eb39a
Opcode Fuzzy Hash: 5b6da6b951882f54b0f608cac06db99b046900c0e33308f9923cf85252afffc3
Instruction Fuzzy Hash: E8112976688706BBF6056621DC0BEAE379CEB05324F608027FB09A51D1FE616D016614

Function 00C48D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5e4556ebef24e971687e57ba6ca0e9ef2e18baf40945c86cee1270c33ca44c
Instruction ID: a2585ef04eb951dbbb6d72982fd4570435d36f54d3ab1c7e3340591c5d9ff7fc
Opcode Fuzzy Hash: bd5e4556ebef24e971687e57ba6ca0e9ef2e18baf40945c86cee1270c33ca44c
Instruction Fuzzy Hash: 4AC1E074D04259AFDB11DFA9D881BAEBBB0BF0D310F144099F824AB392C7758A46CB61

Function 00C4CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C4CEB7
_free.LIBCMT ref: 00C4CF22
_free.LIBCMT ref: 00C4CF48
_free.LIBCMT ref: 00C4CF71
_free.LIBCMT ref: 00C4CFA9
_free.LIBCMT ref: 00C4CFDA
_free.LIBCMT ref: 00C4D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C4D09C
_free.LIBCMT ref: 00C4D0B5

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 40546c23015a0b73ef800e3d004633bfa05c04d30090b38abfcb9ffafc5e3448
Instruction ID: 6a6df60b8a69b5f323c692be2769586903405e2a0275a056f6ee6eb79ff79ddf
Opcode Fuzzy Hash: 40546c23015a0b73ef800e3d004633bfa05c04d30090b38abfcb9ffafc5e3448
Instruction Fuzzy Hash: 33616A71905300AFEB21AFF49CC1B6E7BA5FF01310F14416DF9519B292DB3A9E4597A0

Function 00CA50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00CA5186
ShowWindow.USER32(?,00000000), ref: 00CA51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00CA51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00CA51D1

Part of subcall function 00CA6FBA: DeleteObject.GDI32(00000000), ref: 00CA6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00CA520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CA524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00CA5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00CA5296

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: ea77a5dadc6bd99591664282d6cbbfae2666edd0fefcfe043c58b792d637fdb7
Instruction ID: 257022bb51d67e7ad6a7fda3bfc195c9f1d1f9beaf852bbcb3ac91ae1dbcf73e
Opcode Fuzzy Hash: ea77a5dadc6bd99591664282d6cbbfae2666edd0fefcfe043c58b792d637fdb7
Instruction Fuzzy Hash: 0D519030A40A0ABEEF309F65DC49BEC3B65EB07329F14C111F625962E1C775AA90EB40

Function 00C28B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C66890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C28874,00000000,00000000,00000000,000000FF,00000000), ref: 00C66901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C6691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C28874,00000000,00000000,00000000,000000FF,00000000), ref: 00C6692D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 645bf1a16091b128eb09ca0c0372c82b8946d83a9a5d1c6d9b72e49f9e244cef
Instruction ID: ab0e2f196258d975cdfcf8ac231eca985152ae88c91506de8539ec2a5750b0b0
Opcode Fuzzy Hash: 645bf1a16091b128eb09ca0c0372c82b8946d83a9a5d1c6d9b72e49f9e244cef
Instruction Fuzzy Hash: 6E519770A00209EFDB20CF25DC95FAE7BB5EB48764F10451CF922976A0DB70EA90DB50

Function 00C8C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C8C182
GetLastError.KERNEL32 ref: 00C8C195
SetEvent.KERNEL32(?), ref: 00C8C1A9

Part of subcall function 00C8C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8C272
Part of subcall function 00C8C253: GetLastError.KERNEL32 ref: 00C8C322
Part of subcall function 00C8C253: SetEvent.KERNEL32(?), ref: 00C8C336
Part of subcall function 00C8C253: InternetCloseHandle.WININET(00000000), ref: 00C8C341

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3075cc331fd717c5f73d0793418f82b0ab5674fd047f3fa50a958fb1f24ede9a
Instruction ID: d2c51bd56db1d81dc038c0dcc04fb8dfbadb800f5c09b8ba247af8cbb985e374
Opcode Fuzzy Hash: 3075cc331fd717c5f73d0793418f82b0ab5674fd047f3fa50a958fb1f24ede9a
Instruction Fuzzy Hash: 7E317E71100605AFDB21AFA5DC84B6BBBE8FF19308B00451DF96683660DB35E9149B74

Function 00C725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C73A57
Part of subcall function 00C73A3D: GetCurrentThreadId.KERNEL32 ref: 00C73A5E
Part of subcall function 00C73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C725B3), ref: 00C73A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C72601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C72605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C7260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C72623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C72627

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d9f5be0954dad50d09e4815232f2ce8dc6ddc934d306b0f6d93290f8082dcd72
Instruction ID: 9139499922229377cd2ceaaa17a91a7d8182d9235869dd06d5015e47a0b4f733
Opcode Fuzzy Hash: d9f5be0954dad50d09e4815232f2ce8dc6ddc934d306b0f6d93290f8082dcd72
Instruction Fuzzy Hash: 5F01D431390610BBFB2067A99CCAF5D3F59DB4EB56F104001F318AF0D1C9E22445AA69

Function 00C71803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C71449,?,?,00000000), ref: 00C7180C
HeapAlloc.KERNEL32(00000000,?,00C71449,?,?,00000000), ref: 00C71813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C71449,?,?,00000000), ref: 00C71828
GetCurrentProcess.KERNEL32(?,00000000,?,00C71449,?,?,00000000), ref: 00C71830
DuplicateHandle.KERNEL32(00000000,?,00C71449,?,?,00000000), ref: 00C71833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C71449,?,?,00000000), ref: 00C71843
GetCurrentProcess.KERNEL32(00C71449,00000000,?,00C71449,?,?,00000000), ref: 00C7184B
DuplicateHandle.KERNEL32(00000000,?,00C71449,?,?,00000000), ref: 00C7184E
CreateThread.KERNEL32(00000000,00000000,00C71874,00000000,00000000,00000000), ref: 00C71868

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: d9616213427ba3d3f3e94f1926e167d2d22922ead79c6cf9bd4540af8905f7d0
Instruction ID: 9c52a490a50581d6f7a7321474b1ce357163cd5ed9608ceb0a3eeba52a503d36
Opcode Fuzzy Hash: d9616213427ba3d3f3e94f1926e167d2d22922ead79c6cf9bd4540af8905f7d0
Instruction Fuzzy Hash: 3401AC75340304BFE610ABA5DC89F9F3BACEB8AB15F014411FA05DB1A1DA7098108B20

Function 00C7C5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C7C6EE
_wcslen.LIBCMT ref: 00C7C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C7C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C7C7CA

Strings

0, xrefs: 00C7C6AF
pm, xrefs: 00C7C652
pm, xrefs: 00C7C64B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0$pm$pm
API String ID: 1227352736-3127529634
Opcode ID: 0362ec78b9eb9459a5a57344c9c8f71399bf73d4609cac1de1b7fba7ab5bc50b
Instruction ID: 8f7e2fbbbc95839fb9609261427835f5d0f13e08b286aa437e51fe39382d3b9b
Opcode Fuzzy Hash: 0362ec78b9eb9459a5a57344c9c8f71399bf73d4609cac1de1b7fba7ab5bc50b
Instruction Fuzzy Hash: 1751E0716043029BD7189F29C8C5B6B77E8AF49310F048A2DF9A9D31E0DB70DA44DB52

Function 00C9A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C7D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C7D501
Part of subcall function 00C7D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C7D50F
Part of subcall function 00C7D4DC: CloseHandle.KERNELBASE(00000000), ref: 00C7D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9A16D
GetLastError.KERNEL32 ref: 00C9A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C9A268
GetLastError.KERNEL32(00000000), ref: 00C9A273
CloseHandle.KERNEL32(00000000), ref: 00C9A2C4

Strings

SeDebugPrivilege, xrefs: 00C9A18F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 262446d0f10c6b01932959a860b97cf5b68a57130c7b3b573668d63d503633fb
Instruction ID: 7ba9ae32f35acd34ba64c67d0cef97c7864c86ce52419e57f839fcadf9f35ac0
Opcode Fuzzy Hash: 262446d0f10c6b01932959a860b97cf5b68a57130c7b3b573668d63d503633fb
Instruction Fuzzy Hash: CB618F30208641AFDB10DF19C498F59BBE1AF45318F14849CE46A8B7A3C772ED85DBD2

Function 00CA3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CA3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CA393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CA3954
_wcslen.LIBCMT ref: 00CA3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CA39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CA39F4

Strings

SysListView32, xrefs: 00CA38F7

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e57a9233ab9ec466a4d47bf5eff094f7c74b375b426052c03bca376b1f26a274
Instruction ID: e2a71e6da2c224cc6d508aff93024528f8a43ac479ea660e99032ff33db5bc8a
Opcode Fuzzy Hash: e57a9233ab9ec466a4d47bf5eff094f7c74b375b426052c03bca376b1f26a274
Instruction Fuzzy Hash: F241C571A00259ABDF21DFA4CC45BEE77A9EF09358F100126F954E7281D7759E80CB90

Function 00C7C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C7C913

Strings

warning, xrefs: 00C7C8FC
info, xrefs: 00C7C8B4
question, xrefs: 00C7C8CC
blank, xrefs: 00C7C895
stop, xrefs: 00C7C8E4

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 766abd51e050cbefa7670ee58b310f6e92352d146631cb2f736e7bfdc54cfe0a
Instruction ID: ba686512ad9d0f5baab782692d26b31cdc72da8b929b5da70947680a4188122f
Opcode Fuzzy Hash: 766abd51e050cbefa7670ee58b310f6e92352d146631cb2f736e7bfdc54cfe0a
Instruction Fuzzy Hash: C7110D3268930BBAE7055B559CC3DEE679CDF15354F11403FF618A62C2D7706E006365

Function 00C7DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C7DE42
gethostname.WSOCK32(?,00000100), ref: 00C7DE5C
gethostbyname.WSOCK32(?), ref: 00C7DE69
inet_ntoa.WSOCK32(?), ref: 00C7DEAB
_strcat.LIBCMT ref: 00C7DEB9
WSACleanup.WSOCK32 ref: 00C7DEDE

Strings

0.0.0.0, xrefs: 00C7DE87

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: dc695becc45a8eef145e1919de0a907009fb8f24d87bbb09551bf465cfa1ada7
Instruction ID: 17ff50be22e53acb412e450f8e5078e3d44bb9861b6b86df17aabd32a2beb925
Opcode Fuzzy Hash: dc695becc45a8eef145e1919de0a907009fb8f24d87bbb09551bf465cfa1ada7
Instruction Fuzzy Hash: 4D113632900215ABCB25AB309C4AFEE77BCDF15314F0041A9F01ADB091EF709A81DA50

Function 00C6D3A2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C6D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C6D3BF
FreeLibrary.KERNEL32(00000000), ref: 00C6D3E5
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C6D3FC

Strings

kernel32.dll, xrefs: 00C6D3A8
GetSystemWow64DirectoryW, xrefs: 00C6D3B9
X64, xrefs: 00C6D2A8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: GetSystemWow64DirectoryW$X64$kernel32.dll
API String ID: 582185067-2904798639
Opcode ID: dc5ff6cdd5c5ba8af3b7d2d841240a46ea8a6369c5a23025057ffce6a6c4cdd2
Instruction ID: 8cc0e7e36621f18d04acdcbcdf50ee928a6c84f846017b24fa1d8b8fb625bc55
Opcode Fuzzy Hash: dc5ff6cdd5c5ba8af3b7d2d841240a46ea8a6369c5a23025057ffce6a6c4cdd2
Instruction Fuzzy Hash: 58F02770F462359BC77157519CE8B6D7334AF01B05F448065F603F7260DB30CE048AA1

Function 00CA9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

GetSystemMetrics.USER32(0000000F), ref: 00CA9FC7
GetSystemMetrics.USER32(0000000F), ref: 00CA9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CAA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CAA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CAA263
ShowWindow.USER32(00000003,00000000), ref: 00CAA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00CAA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CAA2CA

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 5eb862d968151517cd1ff7b9972da19bb4bc2b88a35bb4a7e7714f333feb916a
Instruction ID: f732d68d7256c9d579af4b35c9e05f5d3ab1ebaf85dc5e6c1325c1708ba3bb95
Opcode Fuzzy Hash: 5eb862d968151517cd1ff7b9972da19bb4bc2b88a35bb4a7e7714f333feb916a
Instruction Fuzzy Hash: A1B1EA30600216EFDF14CF68C9C97AE7BB2FF4A308F088169ED599B295D731AA50CB51

Function 00C7ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C7ED2A
_wcslen.LIBCMT ref: 00C7ED3B
_wcslen.LIBCMT ref: 00C7ED79
_wcslen.LIBCMT ref: 00C7EDAF
_wcslen.LIBCMT ref: 00C7EDDF
_wcslen.LIBCMT ref: 00C7EDEF
_wcslen.LIBCMT ref: 00C7EE2B
_wcslen.LIBCMT ref: 00C7EE5A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 5decba3f534bc3102807fb4e01f40023d6f4c014888e9e653b73b314904bbc46
Instruction ID: cd9475c3a134fbe95ea042d1655e2d1492bdcebd75af878cfd68192b1d222e48
Opcode Fuzzy Hash: 5decba3f534bc3102807fb4e01f40023d6f4c014888e9e653b73b314904bbc46
Instruction Fuzzy Hash: 4A419366C2021875CB11EBF4C88AACFB7ACAF49710F508962F518E3121FB35E655C3A6

Function 00C2F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00C2F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00C6F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00C6F454

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f513e7348c62dc5316ceba69ebbb2a19c1301ce6e6046ef91f3830d152474229
Instruction ID: c837cfa8e49f02a3792685daf80fa939e39b40f2da5ab7f1859378aeb65d8905
Opcode Fuzzy Hash: f513e7348c62dc5316ceba69ebbb2a19c1301ce6e6046ef91f3830d152474229
Instruction Fuzzy Hash: C6412C31608698BAC738AB2EB8C873E7BB1AB56314F14443CE09757D61CA719AC3D710

Function 00CA2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CA2D1B
GetDC.USER32(00000000), ref: 00CA2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00CA2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CA2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CA2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CA5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CA2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CA2DE1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a4a6a0c544bd4e8334224b536dac4192eed612231f7b1eb83db6214986056e62
Instruction ID: 0fb0b192d7fdc5515736e2de706bde06d2892b36f6b7261c6b4282221677862d
Opcode Fuzzy Hash: a4a6a0c544bd4e8334224b536dac4192eed612231f7b1eb83db6214986056e62
Instruction Fuzzy Hash: 6B314C72201224BFEB118F54CC8AFEB3BA9EF0A759F044055FE089B291D6759D51CBA4

Function 00C75622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C75637
_memcmp.LIBVCRUNTIME ref: 00C75659
_memcmp.LIBVCRUNTIME ref: 00C75671
_memcmp.LIBVCRUNTIME ref: 00C75684
_memcmp.LIBVCRUNTIME ref: 00C7569E
_memcmp.LIBVCRUNTIME ref: 00C756B1
_memcmp.LIBVCRUNTIME ref: 00C756C9
_memcmp.LIBVCRUNTIME ref: 00C756E4

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7eee89c95325a95b595f949d64401df41a4bf99667ea7631d80a5f0de7e0e15f
Instruction ID: 90a9bfa523fe7cb66ba7d0a37d232a69eef724b474a6ad45410f0a9cacac4feb
Opcode Fuzzy Hash: 7eee89c95325a95b595f949d64401df41a4bf99667ea7631d80a5f0de7e0e15f
Instruction Fuzzy Hash: 8F210BA1750A0A7BD21855228D82FFB335CAF21398F488034FD1C9A781FBB1EF1195E5

Function 00C94FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00C95007
NULL Pointer assignment, xrefs: 00C9502E, 00C95383

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0be26bb94c1261c86396ba2695ab20f01abee0da2dc53160ad4cd965e21a32c4
Instruction ID: a381865ba70646c0a07ffb658e34be84c216466532cf3f7af73067c68a104e51
Opcode Fuzzy Hash: 0be26bb94c1261c86396ba2695ab20f01abee0da2dc53160ad4cd965e21a32c4
Instruction Fuzzy Hash: 05D1D471A0060A9FDF11CFA8C889FAEB7B5FF48344F148169E925AB291E770DE45CB50

Function 00C51522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00C515CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C51651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C516E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C516FB

Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C51777
__freea.LIBCMT ref: 00C517A2
__freea.LIBCMT ref: 00C517AE

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: dcf1bf6a3eb61a1a99653380de49a234ade551a56d5b55b11ae339aaf4b017d3
Instruction ID: 1e9a8bf1f542ec26c4663785e48b04e8f2e52d87f997a7382f88a717da6ef88d
Opcode Fuzzy Hash: dcf1bf6a3eb61a1a99653380de49a234ade551a56d5b55b11ae339aaf4b017d3
Instruction Fuzzy Hash: 5191B379E002069ADB208E64C889BEE7BA5EB49351F5C0659EC11E7141EB35DE88C768

Function 00C94523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C94648
VariantInit.OLEAUT32(?), ref: 00C94749
VariantClear.OLEAUT32(?), ref: 00C94753
VariantClear.OLEAUT32(?), ref: 00C947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00C945D8, 00C94706, 00C947BE
Incorrect Object type in FOR..IN loop, xrefs: 00C9472C

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e7a86f055891c3c7f6138ccc8c1b77857726800aae45b895c557488cc01c0de8
Instruction ID: ae68826186965a194104b15d499114c54d13d503ffbf55311975ad511aaee550
Opcode Fuzzy Hash: e7a86f055891c3c7f6138ccc8c1b77857726800aae45b895c557488cc01c0de8
Instruction Fuzzy Hash: 7C919471A00219ABDF28CFA5D888FAE7BB8EF46715F108559F515AB280D7709942CFA0

Function 00C81187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C8125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C81284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C8135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C81430

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 38a7d0d01428617da6e15b681c985fa430bad06b4bdde1e1227b358fd0c18246
Instruction ID: af883c478f994ef19ecd04ddc84113973f39256346aaa48cb53b8ec51c9b5325
Opcode Fuzzy Hash: 38a7d0d01428617da6e15b681c985fa430bad06b4bdde1e1227b358fd0c18246
Instruction Fuzzy Hash: 6C910271A00218AFDB00EF94C884BBEB7F9FF45319F194029E910EB291D774E942DB98

Function 00C2948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3722211da4197d8335889d59bead01fbb2abe060499f1455d66e32890fbe8c0a
Instruction ID: daa4a189429b1f118013b290f58e9ad8faf771d79cde92db8ba1cd58097f4ce8
Opcode Fuzzy Hash: 3722211da4197d8335889d59bead01fbb2abe060499f1455d66e32890fbe8c0a
Instruction Fuzzy Hash: 15916871E00219EFCB10CFA9DC84AEEBBB8FF49320F148559E915B7251D378AA41DB60

Function 00C93947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C9396B
CharUpperBuffW.USER32(?,?), ref: 00C93A7A
_wcslen.LIBCMT ref: 00C93A8A
VariantClear.OLEAUT32(?), ref: 00C93C1F

Part of subcall function 00C80CDF: VariantInit.OLEAUT32(00000000), ref: 00C80D1F
Part of subcall function 00C80CDF: VariantCopy.OLEAUT32(?,?), ref: 00C80D28
Part of subcall function 00C80CDF: VariantClear.OLEAUT32(?), ref: 00C80D34

Strings

AUTOIT.ERROR, xrefs: 00C93A80, 00C93A85
Incorrect Parameter format, xrefs: 00C939A6, 00C93BA1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: dccbf534b6e1f53d61099f2a4e1b7261c69603833dbd02d088eb6155ee1108fe
Instruction ID: 9aa5a9f4648dfdcd15fc2ebcbc841e4b83edc6ac306afdef0c455f435ffec567
Opcode Fuzzy Hash: dccbf534b6e1f53d61099f2a4e1b7261c69603833dbd02d088eb6155ee1108fe
Instruction Fuzzy Hash: 919198746083419FCB00EF64C48496AB7E4FF89314F14892EF89A9B351DB30EE46DB92

Function 00C94BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C7000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?,?,00C7035E), ref: 00C7002B
Part of subcall function 00C7000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70046
Part of subcall function 00C7000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70054
Part of subcall function 00C7000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?), ref: 00C70064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C94C51
_wcslen.LIBCMT ref: 00C94D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C94DCF
CoTaskMemFree.OLE32(?), ref: 00C94DDA

Strings

NULL Pointer assignment, xrefs: 00C94E23, 00C94E52

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 672db2963c193229af4316c6d75588531374d2c0ff64d5f39899a2eb1783ef43
Instruction ID: dbbae78feccd10028025debe4100a0f9e63dfa0d66dda1984dd6178cdd19795a
Opcode Fuzzy Hash: 672db2963c193229af4316c6d75588531374d2c0ff64d5f39899a2eb1783ef43
Instruction Fuzzy Hash: 15911671D00219EFDF14DFA4C895EEEB7B8BF09314F10816AE919A7291EB309A45DF60

Function 00C97B7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C30242: EnterCriticalSection.KERNEL32(00CE070C,00CE1884,?,?,00C2198B,00CE2518,?,?,?,00C112F9,00000000), ref: 00C3024D
Part of subcall function 00C30242: LeaveCriticalSection.KERNEL32(00CE070C,?,00C2198B,00CE2518,?,?,?,00C112F9,00000000), ref: 00C3028A

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C300A3: __onexit.LIBCMT ref: 00C300A9

__Init_thread_footer.LIBCMT ref: 00C97BFB

Part of subcall function 00C301F8: EnterCriticalSection.KERNEL32(00CE070C,?,?,00C28747,00CE2514), ref: 00C30202
Part of subcall function 00C301F8: LeaveCriticalSection.KERNEL32(00CE070C,?,00C28747,00CE2514), ref: 00C30235

Strings

GpE, xrefs: 00C97C96
5, xrefs: 00C97C78
GpE, xrefs: 00C97CD4, 00C97D73, 00C97D05, 00C97E05
Variable must be of type 'Object'., xrefs: 00C97C3A
pE, xrefs: 00C97D5C, 00C97C50

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$GpE$GpE$Variable must be of type 'Object'.$pE
API String ID: 535116098-3857147788
Opcode ID: 27ad1e7594f6926363e7d8f1c86ea96a46feea7a79cde332f406f0e5063dee16
Instruction ID: 47940d927af1ffd3b063b5325eebaee9b2d956505bdac81f2749d2712eb2beef
Opcode Fuzzy Hash: 27ad1e7594f6926363e7d8f1c86ea96a46feea7a79cde332f406f0e5063dee16
Instruction Fuzzy Hash: BA91BA71A15209EFCF04EF94C8999ADB7B1FF49304F108159F816AB292DB31AE81EB50

Function 00CA20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CA2183
GetMenuItemCount.USER32(00000000), ref: 00CA21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CA21DD
_wcslen.LIBCMT ref: 00CA2213
GetMenuItemID.USER32(?,?), ref: 00CA224D
GetSubMenu.USER32(?,?), ref: 00CA225B

Part of subcall function 00C73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C73A57
Part of subcall function 00C73A3D: GetCurrentThreadId.KERNEL32 ref: 00C73A5E
Part of subcall function 00C73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C725B3), ref: 00C73A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CA22E3

Part of subcall function 00C7E97B: Sleep.KERNEL32 ref: 00C7E9F3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: e7d9458342b9f243f7e2cb792e6448d6f12c0a6911a7ee6f189cc980c92236a5
Instruction ID: e7a1a425effe4f2738ca43d521bcb1f700fa1329d0cc4cbd116fe97e2a50c56f
Opcode Fuzzy Hash: e7d9458342b9f243f7e2cb792e6448d6f12c0a6911a7ee6f189cc980c92236a5
Instruction Fuzzy Hash: DB71B335E00216AFCB10DFA8C881BAEB7F5EF4A324F108458E916EB351D734EE419B90

Function 00CA7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E96CD0), ref: 00CA7F37
IsWindowEnabled.USER32(00E96CD0), ref: 00CA7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CA801E
SendMessageW.USER32(00E96CD0,000000B0,?,?), ref: 00CA8051
IsDlgButtonChecked.USER32(?,?), ref: 00CA8089
GetWindowLongW.USER32(00E96CD0,000000EC), ref: 00CA80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CA80C3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b5a636e1062723e9dfdb6a39ab7c01c58e21f79d71c4ea717c9322b3709cc409
Instruction ID: 5ff05bace3e85225f4311eb59609bd73b8fce673d23c850028f42ff32774faf9
Opcode Fuzzy Hash: b5a636e1062723e9dfdb6a39ab7c01c58e21f79d71c4ea717c9322b3709cc409
Instruction Fuzzy Hash: 48719D34608206AFEB21DF94CCD4FAA7BB9FF0B308F144159F96597261CB31AA55DB20

Function 00C7AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C7AEF9
GetKeyboardState.USER32(?), ref: 00C7AF0E
SetKeyboardState.USER32(?), ref: 00C7AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C7AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C7AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C7AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C7B020

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4688906ac090826a93ac113c9ed6df3857baef8a7de03b18c524953368b93084
Instruction ID: 086114510bd47e1c4864d8aaa98ab49b208d0606d8a3fb019c38b90a88c483c1
Opcode Fuzzy Hash: 4688906ac090826a93ac113c9ed6df3857baef8a7de03b18c524953368b93084
Instruction Fuzzy Hash: C851C1E06087D53DFB3682748845BBEBEA95B46304F08C589E1ED958C3C398AED4D751

Function 00C7ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C7AD19
GetKeyboardState.USER32(?), ref: 00C7AD2E
SetKeyboardState.USER32(?), ref: 00C7AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C7ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C7ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C7AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C7AE38

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e22d98b5cd12958a560b682b8196e8c42791b30e2d7002ee6ca49d5f856728cc
Instruction ID: f6a44ab7ec1f8439095392ef2265719d83ea5371a11eca2a843f522b27594c7f
Opcode Fuzzy Hash: e22d98b5cd12958a560b682b8196e8c42791b30e2d7002ee6ca49d5f856728cc
Instruction Fuzzy Hash: 4951D6A15047D53DFB3683348C95BBE7EA96B86300F08C489E1ED468C3D294EE94E752

Function 00C4542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C53CD6,?,?,?,?,?,?,?,?,00C45BA3,?,?,00C53CD6,?,?), ref: 00C45470
__fassign.LIBCMT ref: 00C454EB
__fassign.LIBCMT ref: 00C45506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C53CD6,00000005,00000000,00000000), ref: 00C4552C
WriteFile.KERNEL32(?,00C53CD6,00000000,00C45BA3,00000000,?,?,?,?,?,?,?,?,?,00C45BA3,?), ref: 00C4554B
WriteFile.KERNEL32(?,?,00000001,00C45BA3,00000000,?,?,?,?,?,?,?,?,?,00C45BA3,?), ref: 00C45584

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: de5afda4caaca981d0fc51550d453be4d37a525d4a6bfdda3aaa85da87dc339f
Instruction ID: 87f799220b33e1268d50cd7cb76d57d4f8ffcccb486c60c6ff9d3fb40e050203
Opcode Fuzzy Hash: de5afda4caaca981d0fc51550d453be4d37a525d4a6bfdda3aaa85da87dc339f
Instruction Fuzzy Hash: 7651C3B1A00649AFDB11CFA8D885BEEBBF9FF09310F14411AF955E7292D7309A41CB60

Function 00C42051 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C420C3
_free.LIBCMT ref: 00C420E3

Strings

pE, xrefs: 00C42076, 00C420B8, 00C420D8, 00C42158

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _free
String ID: pE
API String ID: 269201875-3876148486
Opcode ID: 02486860fd1d424121392623f8d10b6a46551600fc63ca2e71f70b904b95004f
Instruction ID: b19240197a56ccea0a72bce3529d795c55f8f2b5eb6317d320186160d17c6c96
Opcode Fuzzy Hash: 02486860fd1d424121392623f8d10b6a46551600fc63ca2e71f70b904b95004f
Instruction Fuzzy Hash: 6C41D232A002049FDB24DF78C882A5EB7F5FF89314F5545A9F516EB396DA31AE01DB80

Function 00C32D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C32D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C32D53
_ValidateLocalCookies.LIBCMT ref: 00C32DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C32E0C
_ValidateLocalCookies.LIBCMT ref: 00C32E61

Strings

csm, xrefs: 00C32DF6

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0073106204bd138aa915a011456cb3cd79456d5cf3284cbb5c61a25f54efde63
Instruction ID: f904f1f1777378d395fc78f1ea3065b82b53f8907ae2d776f204633d5ad1dcd6
Opcode Fuzzy Hash: 0073106204bd138aa915a011456cb3cd79456d5cf3284cbb5c61a25f54efde63
Instruction Fuzzy Hash: 3241D534E20209EBCF10DF68CC85A9EBBB5BF44325F148156E925AB392D731EA05CBD1

Function 00C910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C9307A
Part of subcall function 00C9304E: _wcslen.LIBCMT ref: 00C9309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C91112
WSAGetLastError.WSOCK32 ref: 00C91121
WSAGetLastError.WSOCK32 ref: 00C911C9
closesocket.WSOCK32(00000000), ref: 00C911F9

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 357c2c931211a55ffdde612fc36e237729619dfdb1d9daa842df05f72029b3ba
Instruction ID: ce6fb58a3d4dde851fa4a73c497ec31783931eef653d6ac91d98dbcb9da2d875
Opcode Fuzzy Hash: 357c2c931211a55ffdde612fc36e237729619dfdb1d9daa842df05f72029b3ba
Instruction Fuzzy Hash: 3741E731600205AFDB109F54C889BADB7E9FF46368F188059FD259B291C774EE81CBE1

Function 00C7CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C7CF22,?), ref: 00C7DDFD

Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C7CF22,?), ref: 00C7DE16

lstrcmpiW.KERNEL32(?,?), ref: 00C7CF45
MoveFileW.KERNEL32(?,?), ref: 00C7CF7F
_wcslen.LIBCMT ref: 00C7D005
_wcslen.LIBCMT ref: 00C7D01B
SHFileOperationW.SHELL32(?), ref: 00C7D061

Strings

\*.*, xrefs: 00C7CFF3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: f911568f0b69b129dc2a117e0aab97d15a8991a116a6ac7048a8994e3af6e7d3
Instruction ID: ac7324059765c478c2d6bd2e929d7b73c0f0483c8f91b32f9264cb5b95657d9a
Opcode Fuzzy Hash: f911568f0b69b129dc2a117e0aab97d15a8991a116a6ac7048a8994e3af6e7d3
Instruction Fuzzy Hash: 294154719052195FDF12EFA4C9C1BDEB7BCAF19380F0040EAE509EB142EA34A788DB50

Function 00CA2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CA2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00CA2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00CA2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CA2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CA2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00CA2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA2F0B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 22d297d87d376fba98b81619aee8c252aca06bc0b584464b4fbc64b17598e45f
Instruction ID: d9b30bedb621b1d4647a81da5e4fef2459cadffdda321c4c26ca688651948ae6
Opcode Fuzzy Hash: 22d297d87d376fba98b81619aee8c252aca06bc0b584464b4fbc64b17598e45f
Instruction Fuzzy Hash: 2C31E2306041A2AFDB21CF5CDCC4FA937E1EB4A729F190164F9118F2A2CB71AD90DB41

Function 00C77726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C77769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7778F
SysAllocString.OLEAUT32(00000000), ref: 00C77792
SysAllocString.OLEAUT32(?), ref: 00C777B0
SysFreeString.OLEAUT32(?), ref: 00C777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00C777DE
SysAllocString.OLEAUT32(?), ref: 00C777EC

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8b0870fff4c871680d8f517f2d0d1778e93a9cf24b7567bf6b231bcbfb832cc4
Instruction ID: 2f8b681f4cac58f69f02ff3b5b7b6c046a025bd39096de34bb8e1ca78d44147d
Opcode Fuzzy Hash: 8b0870fff4c871680d8f517f2d0d1778e93a9cf24b7567bf6b231bcbfb832cc4
Instruction Fuzzy Hash: E021AE7660421DAFDB15DFA8DC88EBF77ACEB093647008125BA18DB190D670DD42C764

Function 00C777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C77842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C77868
SysAllocString.OLEAUT32(00000000), ref: 00C7786B
SysAllocString.OLEAUT32 ref: 00C7788C
SysFreeString.OLEAUT32 ref: 00C77895
StringFromGUID2.OLE32(?,?,00000028), ref: 00C778AF
SysAllocString.OLEAUT32(?), ref: 00C778BD

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 71332c805b9633c66a6c207b69eeae365d858f4e0ac805f6a467d69923f69601
Instruction ID: 31c8666d4d915d2022d49ae9bb2f21b20e8fcd57da2fa3d9e49674c98e5c2e44
Opcode Fuzzy Hash: 71332c805b9633c66a6c207b69eeae365d858f4e0ac805f6a467d69923f69601
Instruction Fuzzy Hash: 79216031608218AFDB109FB8DC8CEBA77ECEB09764710C225F919DB2A1DA74DD41CB65

Function 00C804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C8052E

Strings

nul, xrefs: 00C80567

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5ff784aae3ec35c7b596d3cf0f1a61676a931bbcdecedc13d70fd88b172e187c
Instruction ID: 301d0c93f27dcfb515e0ac3741a19c7fdd7bedd640b5066f357c0f599820fb5b
Opcode Fuzzy Hash: 5ff784aae3ec35c7b596d3cf0f1a61676a931bbcdecedc13d70fd88b172e187c
Instruction Fuzzy Hash: E0217C71600305AFDB20AF29D844B9A77A4AF45728F304A29E8B1D72E0D7709A48CF28

Function 00C805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C80601

Strings

nul, xrefs: 00C80639

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f940ea153e14d63a6cdbed656b53ceaca50c7a4fca16b47b449b80d11740c85b
Instruction ID: 7ed307e476e188b329eae23dac8ed575e7ae2da17bc22abcffd59783f08d3018
Opcode Fuzzy Hash: f940ea153e14d63a6cdbed656b53ceaca50c7a4fca16b47b449b80d11740c85b
Instruction Fuzzy Hash: 2E217F755003059FDB60AF698C44B9A77E4AF96729F300B19FCB1E72E0E7709964CB28

Function 00CA40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C1604C
Part of subcall function 00C1600E: GetStockObject.GDI32(00000011), ref: 00C16060
Part of subcall function 00C1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C1606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CA4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CA411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CA412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CA4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CA4145

Strings

Msctls_Progress32, xrefs: 00CA40E3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 6ad7bb5f6e882fa5db2e689409164c9dfcaad99c42a02da9d58b02e4d00c91f1
Instruction ID: ba8b3d0913f3e47db2225d08c9b001e1bb1d527a8f9c040e4155fbdbefc9d641
Opcode Fuzzy Hash: 6ad7bb5f6e882fa5db2e689409164c9dfcaad99c42a02da9d58b02e4d00c91f1
Instruction Fuzzy Hash: 2F1186B115011A7EEF119F64CC85EEB7F5DEF09798F014111FB18A6150C672DC61DBA4

Function 00C4D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C4D7A3: _free.LIBCMT ref: 00C4D7CC

_free.LIBCMT ref: 00C4D82D

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C4D838
_free.LIBCMT ref: 00C4D843
_free.LIBCMT ref: 00C4D897
_free.LIBCMT ref: 00C4D8A2
_free.LIBCMT ref: 00C4D8AD
_free.LIBCMT ref: 00C4D8B8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c5d0dc2b14f6a00394a91677fa80e57b9e5fcfa1156ee0aaeca74245a117bbc9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 59115B71940B04ABEA21BFB1CC47FCB7BDCBF10700F800825B69AE6292DA75B505A660

Function 00C7DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C7DA74
LoadStringW.USER32(00000000), ref: 00C7DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C7DA91
LoadStringW.USER32(00000000), ref: 00C7DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C7DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C7DAB9

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: bb1a78ba709b76baa6a73d4b5b437dd537c3f340a985b011039ca16d84eadf34
Instruction ID: ea472d6e6f16dd1ee9c5ca5e881259c88919a6e4a409d05420a88f35a30d4fda
Opcode Fuzzy Hash: bb1a78ba709b76baa6a73d4b5b437dd537c3f340a985b011039ca16d84eadf34
Instruction Fuzzy Hash: C1014FF25002087BE710DBA09DC9FEA726CEB09705F404496B70AE3041EA749E848B74

Function 00C8096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E8F2B8,00E8F2B8), ref: 00C8097B
EnterCriticalSection.KERNEL32(00E8F298,00000000), ref: 00C8098D
TerminateThread.KERNEL32(?,000001F6), ref: 00C8099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00C809A9
CloseHandle.KERNEL32(?), ref: 00C809B8
InterlockedExchange.KERNEL32(00E8F2B8,000001F6), ref: 00C809C8
LeaveCriticalSection.KERNEL32(00E8F298), ref: 00C809CF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4da88825e253aab746a1c339b4746d3066cc485b6f352a0703810abe80a005e5
Instruction ID: 2dc40fe32902d32fc681ecf536aa1ebef526f413371b957bfcaf551ff57c2427
Opcode Fuzzy Hash: 4da88825e253aab746a1c339b4746d3066cc485b6f352a0703810abe80a005e5
Instruction Fuzzy Hash: A0F03C32542A02BBD7415FA4EECCBDABB39FF0270AF502125F202928A1CB749575CF94

Function 00C15D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C15D30
GetWindowRect.USER32(?,?), ref: 00C15D71
ScreenToClient.USER32(?,?), ref: 00C15D99
GetClientRect.USER32(?,?), ref: 00C15ED7
GetWindowRect.USER32(?,?), ref: 00C15EF8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c2096b0522782e0d5e3dc38332a6e9b3943c77f8a67c2ab60cab734128e3122b
Instruction ID: 4171e58a5bca64fc30b6d54900d56ef02f72ccb2661aeaa7f932ddbed1129948
Opcode Fuzzy Hash: c2096b0522782e0d5e3dc38332a6e9b3943c77f8a67c2ab60cab734128e3122b
Instruction Fuzzy Hash: 15B17A78A00A4ADBDB14CFA9C4807EEB7F1FF49314F14841AE8A9D7250DB34AA91DB54

Function 00C401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C400D6
__allrem.LIBCMT ref: 00C400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C4010B
__allrem.LIBCMT ref: 00C40122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C40140

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 4aaa9a8cb4931cb10da43ef37dbc1045fbbbb4af3b7bf2fd7cc240c55ce71b94
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 3F81F572A407069BE724AE69CC42B6F73E8BF55324F24493EFA21D7281E770DE419B50

Function 00C91D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C93149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00C9101C,00000000,?,?,00000000), ref: 00C93195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C91DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C91DE1
WSAGetLastError.WSOCK32 ref: 00C91DF2
inet_ntoa.WSOCK32(?), ref: 00C91E8C
htons.WSOCK32(?,?,?,?,?), ref: 00C91EDB
_strlen.LIBCMT ref: 00C91F35

Part of subcall function 00C739E8: _strlen.LIBCMT ref: 00C739F2

Part of subcall function 00C16D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00C2CF58,?,?,?), ref: 00C16DBA
Part of subcall function 00C16D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00C2CF58,?,?,?), ref: 00C16DED

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 139a33ce15e14dadb8f7740375fe08d012f43e61f3c46d3bf6f890bc78e6afbb
Instruction ID: b2a58386308bd8286dc3a08a1fdc7f7c1706d3918acda515d1d280aa0d288756
Opcode Fuzzy Hash: 139a33ce15e14dadb8f7740375fe08d012f43e61f3c46d3bf6f890bc78e6afbb
Instruction Fuzzy Hash: 53A13631104341AFC714DF60C88AF6A77E5AF85318F58894CF8665B2E2CB31EE82DB91

Function 00C461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C382D9,00C382D9,?,?,?,00C4644F,00000001,00000001,8BE85006), ref: 00C46258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C4644F,00000001,00000001,8BE85006,?,?,?), ref: 00C462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C463D8
__freea.LIBCMT ref: 00C463E5

Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

__freea.LIBCMT ref: 00C463EE
__freea.LIBCMT ref: 00C46413

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 87545e721216235400a577f7e1301a8ac4174be23776b6df5a020829e1057a9c
Instruction ID: b6a06c6f1ad50a1a51d698deab0a6b956828ddbd96378919e3391a7390e448c6
Opcode Fuzzy Hash: 87545e721216235400a577f7e1301a8ac4174be23776b6df5a020829e1057a9c
Instruction Fuzzy Hash: 55513172A00246ABEB258F60CC81FAF7BA9FF86710F144229FD15D7194EB34DD80D6A1

Function 00C9BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9BD25
RegCloseKey.ADVAPI32(00000000), ref: 00C9BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C9BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C9BDF3
RegCloseKey.ADVAPI32(?), ref: 00C9BDFF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: c6481fd701fc309e2f74e5059960a9eb1acedb0836009d84f5088644ded5c3b5
Instruction ID: 8e9162ebd7cdb521720f0711c43c29f0a23ed51e3f777543fb9ea2a563b647f6
Opcode Fuzzy Hash: c6481fd701fc309e2f74e5059960a9eb1acedb0836009d84f5088644ded5c3b5
Instruction Fuzzy Hash: 2181D031208241EFCB14DF24C999E6ABBE5FF85308F14855CF4594B2A2CB31EE45DB92

Function 00C6F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C6F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C6F860
VariantCopy.OLEAUT32(00C6FA64,00000000), ref: 00C6F889
VariantClear.OLEAUT32(00C6FA64), ref: 00C6F8AD
VariantCopy.OLEAUT32(00C6FA64,00000000), ref: 00C6F8B1
VariantClear.OLEAUT32(?), ref: 00C6F8BB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 43cac0459593ccc0dfa9be6fad8fe8b6133516ce393377e7bda00fd71d6c87ce
Instruction ID: 49f5afa76cdfa036bfbe3a1507b3bd40fea39def0ff8917f78671f13755a3da0
Opcode Fuzzy Hash: 43cac0459593ccc0dfa9be6fad8fe8b6133516ce393377e7bda00fd71d6c87ce
Instruction Fuzzy Hash: A551D835500310BADF30AF66E8D5769B3A5EF46310F24546EE906DF291DB708C42DB56

Function 00C8910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00C894E5
_wcslen.LIBCMT ref: 00C89506
_wcslen.LIBCMT ref: 00C8952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00C89585

Strings

X, xrefs: 00C89412

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c8621fddb252e9fa939ff5eff0b88b0918b70ca71bb2175d8e7ea3535760751a
Instruction ID: 5932d36935d422364efdd8f72eb566603453afed043c3fa6b7ad214a4132ffe8
Opcode Fuzzy Hash: c8621fddb252e9fa939ff5eff0b88b0918b70ca71bb2175d8e7ea3535760751a
Instruction Fuzzy Hash: CCE1B3315043009FD714EF24C881AAEB7E4FF85318F08896DF8999B2A2DB30ED45DB96

Function 00C2920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

BeginPaint.USER32(?,?,?), ref: 00C29241
GetWindowRect.USER32(?,?), ref: 00C292A5
ScreenToClient.USER32(?,?), ref: 00C292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C292D3
EndPaint.USER32(?,?,?,?,?), ref: 00C29321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C671EA

Part of subcall function 00C29339: BeginPath.GDI32(00000000), ref: 00C29357

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0d8f3ed64c7c804688e62e1ecfb4ac45deff12f4ef654225506753400823a1a9
Instruction ID: 01c2724ca7703e05504bcc9e97a97e5b9f90bbdb30ed0202793cc30a4a9f332a
Opcode Fuzzy Hash: 0d8f3ed64c7c804688e62e1ecfb4ac45deff12f4ef654225506753400823a1a9
Instruction Fuzzy Hash: 1341AB71104310AFD720DF25ECC4FBE7BB8EB46724F040629F9A48B2A2C7309945DB61

Function 00C807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C8080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C80847
EnterCriticalSection.KERNEL32(?), ref: 00C80863
LeaveCriticalSection.KERNEL32(?), ref: 00C808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C80921

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: d2bce6a2fd5488a27473e97264dd2b2dfb556e69aab20450531993f8f45cf11a
Instruction ID: 1419f58d7f9f3679ca31c99abf1284717b00d98ebdf3b89827a088d10fb2c6e0
Opcode Fuzzy Hash: d2bce6a2fd5488a27473e97264dd2b2dfb556e69aab20450531993f8f45cf11a
Instruction Fuzzy Hash: 5E414971A00205EBDF15AF54DC85BAA77B8FF05314F1440A9ED00AA297DB30DE65DBA4

Function 00CA81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C6F3AB,00000000,?,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00CA824C
EnableWindow.USER32(?,00000000), ref: 00CA8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CA82D1
ShowWindow.USER32(?,00000004), ref: 00CA82E5
EnableWindow.USER32(?,00000001), ref: 00CA830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CA832F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7b252f1eeb07d65b67bec318d550a688ff15b4a398115e517b86dbdeb110d888
Instruction ID: 52c879f6b0fd249c131c663b3bcf52fc590871c7d5ab008eb7f8b04e863e9b0e
Opcode Fuzzy Hash: 7b252f1eeb07d65b67bec318d550a688ff15b4a398115e517b86dbdeb110d888
Instruction Fuzzy Hash: F141B430601645EFDF15CF14D8D9BE87BE0BB0B718F184269EA584F272CB31A959CB50

Function 00C74C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C74C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C74CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C74CEA
_wcslen.LIBCMT ref: 00C74D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C74D10
_wcsstr.LIBVCRUNTIME ref: 00C74D1A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 01f3048b002be259848accfdb0235c60f5a51b78f185cee2c8436f495c82b88d
Instruction ID: 22404f61c250ac3c2063e47f742473ae5b922a5d56b8bb9b0b30f27d4f3deb1c
Opcode Fuzzy Hash: 01f3048b002be259848accfdb0235c60f5a51b78f185cee2c8436f495c82b88d
Instruction Fuzzy Hash: FB21C531204214BBEB2A9B69EC49B7F7BACDF56750F108079F809CA191EB61DD0196A0

Function 00C8581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2

_wcslen.LIBCMT ref: 00C8587B
CoInitialize.OLE32(00000000), ref: 00C85995
CoCreateInstance.OLE32(00CAFCF8,00000000,00000001,00CAFB68,?), ref: 00C859AE
CoUninitialize.OLE32 ref: 00C859CC

Strings

.lnk, xrefs: 00C85876, 00C858C1, 00C85985

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: aae30f6b250f2771df05e140a6241ac20956ca8a6545731f47344ce728957869
Instruction ID: f81c3b16c5cab0a4a08d6f8ca8910ae4907bdc8282679ecbbecca69c8cdf438d
Opcode Fuzzy Hash: aae30f6b250f2771df05e140a6241ac20956ca8a6545731f47344ce728957869
Instruction Fuzzy Hash: 26D174706047019FC704EF24C480A6ABBF2EF8A318F14495DF8999B361D771ED46DB92

Function 00C7175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C70FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C70FCA
Part of subcall function 00C70FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C70FD6
Part of subcall function 00C70FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C70FE5
Part of subcall function 00C70FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C70FEC
Part of subcall function 00C70FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C71002

GetLengthSid.ADVAPI32(?,00000000,00C71335), ref: 00C717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C717BA
HeapAlloc.KERNEL32(00000000), ref: 00C717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C717DA
GetProcessHeap.KERNEL32(00000000,00000000,00C71335), ref: 00C717EE
HeapFree.KERNEL32(00000000), ref: 00C717F5

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3551a6d869463f3ca03929be5cc3c5b556457d6ef96166a7a87e0176d41a6c34
Instruction ID: e37089d4a2e2c42f9d9eabcde80b4b65caad4b31ab93cf2d1cddc64a73d041a7
Opcode Fuzzy Hash: 3551a6d869463f3ca03929be5cc3c5b556457d6ef96166a7a87e0176d41a6c34
Instruction Fuzzy Hash: 99118E71600205FFDB189FA8CC89BAE7BADEB46359F188018F95597210D735AA44CB60

Function 00C714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00C71506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C71515
CloseHandle.KERNEL32(00000004), ref: 00C71520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C7154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C71563

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bd265ad736208532a25f2548808aa4844a3a51f0832e34b93e8c60e9593404c7
Instruction ID: a7ab0a41f4f3a70a2f747693a9ce26931c2e5bf570dfca32e727aa6b74eb3b66
Opcode Fuzzy Hash: bd265ad736208532a25f2548808aa4844a3a51f0832e34b93e8c60e9593404c7
Instruction Fuzzy Hash: 8111377250120DABDF118FA8DD89FDE7BA9EF49748F088025FE19A2160C375CE64DB60

Function 00C33382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C33379,00C32FE5), ref: 00C33390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C3339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C333B7
SetLastError.KERNEL32(00000000,?,00C33379,00C32FE5), ref: 00C33409

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0a8a9ee01b2d09dcd15065f9ab777805edcb0435ae32bdebb85d79236182fd76
Instruction ID: 5282f95c41a0cf2035faebaefc449905457dff64e2e2a0e26eebdfc92b05e5d0
Opcode Fuzzy Hash: 0a8a9ee01b2d09dcd15065f9ab777805edcb0435ae32bdebb85d79236182fd76
Instruction Fuzzy Hash: 8C01FC3362E352BEEA1537757CC675F6F54EB15379F20822AF520851F0EF115E02A544

Function 00C42D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C45686,00C53CD6,?,00000000,?,00C45B6A,?,?,?,?,?,00C3E6D1,?,00CD8A48), ref: 00C42D78
_free.LIBCMT ref: 00C42DAB
_free.LIBCMT ref: 00C42DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C3E6D1,?,00CD8A48,00000010,00C14F4A,?,?,00000000,00C53CD6), ref: 00C42DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C3E6D1,?,00CD8A48,00000010,00C14F4A,?,?,00000000,00C53CD6), ref: 00C42DEC
_abort.LIBCMT ref: 00C42DF2

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 11ca9495eb42d2af9cb0f7b21ccaab53f841fe25359bf369631a0f29eb3ac81a
Instruction ID: 9f92fb9d528a807a2e90e8bdb39cab40fec5c93ea01c579eaebf034efe114276
Opcode Fuzzy Hash: 11ca9495eb42d2af9cb0f7b21ccaab53f841fe25359bf369631a0f29eb3ac81a
Instruction Fuzzy Hash: 3EF0C832D05A0127C6226735BC4BF5E2669BFC27A5F740419F834931E2EF748901E160

Function 00CA8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C29693
Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296A2
Part of subcall function 00C29639: BeginPath.GDI32(?), ref: 00C296B9
Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CA8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00CA8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CA8A70
LineTo.GDI32(?,00000000,00000003), ref: 00CA8A80
EndPath.GDI32(?), ref: 00CA8A90
StrokePath.GDI32(?), ref: 00CA8AA0

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6c9679d85c7bf381e8683c0afedda8d4f08b9584b6c62aced81440dace4b715c
Instruction ID: e0aeff70943373c35185885a3210e2507db008138e5294d4371857c6b0011cd4
Opcode Fuzzy Hash: 6c9679d85c7bf381e8683c0afedda8d4f08b9584b6c62aced81440dace4b715c
Instruction Fuzzy Hash: 8A11C97600015DFFDB129F94DC88FAE7F6DEB09354F048012BA199A1A1C7719E55DBA0

Function 00C751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C75218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C75229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C75230
ReleaseDC.USER32(00000000,00000000), ref: 00C75238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C7524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C75261

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 717d7dfd5ce29b56335944d76196c09ac0d9967ca1600f5ca12b47b1ede77886
Instruction ID: e4171eb19cfa9eaa1d8c990fbefe0965faaae8e9aee13a4ffd9d4492f6b943c1
Opcode Fuzzy Hash: 717d7dfd5ce29b56335944d76196c09ac0d9967ca1600f5ca12b47b1ede77886
Instruction Fuzzy Hash: 5E014F75A00718BBEB109BA59C89B5EBFB8EB49751F044065FA04A7281D6709D01CBA0

Function 00C11BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C11BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C11BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C11C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C11C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C11C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C11C22

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9c15082eb30354213bfee99d28cc4a66c50fe0e994b0b705d7193683cdf9161c
Instruction ID: a7fc62f9d2dc1e5aea39aadbbc8d434e70a7c89904136cb1b4317f693ad8562c
Opcode Fuzzy Hash: 9c15082eb30354213bfee99d28cc4a66c50fe0e994b0b705d7193683cdf9161c
Instruction Fuzzy Hash: 4F0167B0902B5ABDE3008F6A8C85B56FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 00C7EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C7EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C7EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00C7EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7EB75

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6d69720ed31fa258d2ac85c50687409cf44d8b2f450bd7b3a3fecd70b3d7a905
Instruction ID: 718fa6ef987be03163bcba1bf5523845c0ee8e921c6a998176010cffea87ad1c
Opcode Fuzzy Hash: 6d69720ed31fa258d2ac85c50687409cf44d8b2f450bd7b3a3fecd70b3d7a905
Instruction Fuzzy Hash: E0F05472241158BBE7215B629C4DFEF3E7CEFCBB15F004159F611D2091DBA05A01C6B5

Function 00C67439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C67452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C67469
GetWindowDC.USER32(?), ref: 00C67475
GetPixel.GDI32(00000000,?,?), ref: 00C67484
ReleaseDC.USER32(?,00000000), ref: 00C67496
GetSysColor.USER32(00000005), ref: 00C674B0

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: eafee67606e2c2619e46f29636934ebbe62e6cf44b356fda308da569ef87e539
Instruction ID: c19e8b44d815096e33fba5e8ce59a9d3c11b92a4f5f9d0ac0619a008162c6d64
Opcode Fuzzy Hash: eafee67606e2c2619e46f29636934ebbe62e6cf44b356fda308da569ef87e539
Instruction Fuzzy Hash: 9E018B31400215EFDB209FA4DD88BAE7BB5FB05319F140560F926A31A0CF311E51EF50

Function 00C71874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C7187F
UnloadUserProfile.USERENV(?,?), ref: 00C7188B
CloseHandle.KERNEL32(?), ref: 00C71894
CloseHandle.KERNEL32(?), ref: 00C7189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C718A5
HeapFree.KERNEL32(00000000), ref: 00C718AC

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: adf68bbd5a7d9e55fdf4a205740ca9824df66b3c664218c7c2b0bd85868cc687
Instruction ID: 62bde819576f4fee5bef881085fd59299cc01cbe0ab32f26c32817fd50090999
Opcode Fuzzy Hash: adf68bbd5a7d9e55fdf4a205740ca9824df66b3c664218c7c2b0bd85868cc687
Instruction Fuzzy Hash: 85E0C236204101BBDA015BA1ED4CB8EBB69FB4AB26B108220F22582070CB329421DF50

Function 00C9AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00C9AEA3

Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625

GetProcessId.KERNEL32(00000000), ref: 00C9AF38
CloseHandle.KERNEL32(00000000), ref: 00C9AF67

Strings

<, xrefs: 00C9AE6B
@, xrefs: 00C9AE72

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6101f9619dbb7ad945b1f4bd2b126b1b30392909739453f7be866b0125c0d86e
Instruction ID: ce82d40013ed6299231c3e67edfd3d5aef691ff28be89dfea2edf210534ab247
Opcode Fuzzy Hash: 6101f9619dbb7ad945b1f4bd2b126b1b30392909739453f7be866b0125c0d86e
Instruction Fuzzy Hash: F9713871A00219DFCF14DF94C488A9EBBF1EF09314F048499E816AB762CB75EE85DB91

Function 00C7719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C77206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C7723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C7724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C772CF

Strings

DllGetClassObject, xrefs: 00C77242

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: da6130c0734fe0a5f8ac12bd44f513c1870dad31bbde2ac1b06d8e225452f560
Instruction ID: 506bcb1d31aa68f733fe41f21b06f41c1d7810e488537d68825b2059f5e48b3e
Opcode Fuzzy Hash: da6130c0734fe0a5f8ac12bd44f513c1870dad31bbde2ac1b06d8e225452f560
Instruction Fuzzy Hash: E6418DB1A04208EFDB15CF54C885B9A7BA9EF45314F15C1A9BD19DF20AD7B0DA40DBA0

Function 00C7C27D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C7C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00C7C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CE1990,pm), ref: 00C7C395

Strings

pm, xrefs: 00C7C28D
0, xrefs: 00C7C2DF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0$pm
API String ID: 135850232-3986626758
Opcode ID: d6786e713ae31df4c45ab18f47acefae11e0496939eadcde5b214afc9197d7d0
Instruction ID: 283ec29dc1ff6d14d4f91d1f56df2398ed108f48e0decdf29a9ffedb7902109d
Opcode Fuzzy Hash: d6786e713ae31df4c45ab18f47acefae11e0496939eadcde5b214afc9197d7d0
Instruction Fuzzy Hash: E9419F712043029FD720DF25D8C4B9ABBE8AF85324F14CA1DF9A9972E1D730E904DB62

Function 00CA3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA3E35
IsMenu.USER32(?), ref: 00CA3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA3E92
DrawMenuBar.USER32 ref: 00CA3EA5

Strings

0, xrefs: 00CA3D89

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 5fbdc4104f6fcf804c9f3c088e9fa71dcc12b050afb0a20e43081ba738e865c3
Instruction ID: 23194faa5fed38004303c81a012b35da43568c2b3ba4519e145302458d167ca2
Opcode Fuzzy Hash: 5fbdc4104f6fcf804c9f3c088e9fa71dcc12b050afb0a20e43081ba738e865c3
Instruction Fuzzy Hash: 1A416A75A0124AEFDB10DF50D894AEABBB9FF4A358F04402AF9159B250D730AE50DF50

Function 00C71DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C71E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C71E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C71EA9

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

Strings

ListBox, xrefs: 00C71E25
ComboBox, xrefs: 00C71DF0

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 330ea4d6a5b210677137893dadc1df924350ad4dedb42f705f726ec3438154ee
Instruction ID: 6089c48f3480e92414ed47c4ac14e59eaaa25bb9abe136cf502278b81864b2f3
Opcode Fuzzy Hash: 330ea4d6a5b210677137893dadc1df924350ad4dedb42f705f726ec3438154ee
Instruction Fuzzy Hash: FC214971A00104BFDB149BA8DC5ADFFB7B8DF42354B148129FC69A31E0DB344A45A620

Function 00C9C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9C9F1
_wcslen.LIBCMT ref: 00C9CA68
_wcslen.LIBCMT ref: 00C9CA9E
_wcslen.LIBCMT ref: 00C9CAF9
_wcslen.LIBCMT ref: 00C9CB2F
_wcslen.LIBCMT ref: 00C9CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00C9CA62, 00C9CA67
HKLM, xrefs: 00C9CA98, 00C9CA9D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 7b09b1a14ef1f87d1afe49b8a6d0ca7e50297c18525c4cca5a5b90549a316ea9
Instruction ID: 301059b5e33cdba4b397f82598f20292b98beb8a1cef83d1d240fc5ab582244d
Opcode Fuzzy Hash: 7b09b1a14ef1f87d1afe49b8a6d0ca7e50297c18525c4cca5a5b90549a316ea9
Instruction Fuzzy Hash: 2231D572A001A94BCF20DE2CD9D41BE33919BA1750F55412AE865AB385FE71CF81F3A0

Function 00CA2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CA2F8D
LoadLibraryW.KERNEL32(?), ref: 00CA2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CA2FA9
DestroyWindow.USER32(?), ref: 00CA2FB1

Strings

SysAnimate32, xrefs: 00CA2F68

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 40f48bdcd1ab299f82e19f6da973b4ab93f115a41ce50ebba2adc8959178754d
Instruction ID: 3ab828185e22be473cb1bbfb5e094ee1c93a50b0473ede383bc50503a77c7d07
Opcode Fuzzy Hash: 40f48bdcd1ab299f82e19f6da973b4ab93f115a41ce50ebba2adc8959178754d
Instruction Fuzzy Hash: 8F218E71204226AFEB104FA8DC80FBB77B9EB5A36CF104619F960D6190D771DD91A760

Function 00C34D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C34D1E,00C428E9,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002), ref: 00C34D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C34DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C34D1E,00C428E9,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002,00000000), ref: 00C34DC3

Strings

mscoree.dll, xrefs: 00C34D86
CorExitProcess, xrefs: 00C34D98

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: eee71ac125b8f790ec1914ce12af77729173d693399b5009432948e640a862f3
Instruction ID: da7b8ece9206d2ab7934444a2674886cb9fc8cfe7d8412fd422a871b817668d8
Opcode Fuzzy Hash: eee71ac125b8f790ec1914ce12af77729173d693399b5009432948e640a862f3
Instruction Fuzzy Hash: A7F04F35A50218BBDB159F94DC89BEEBFF5EF44755F1001A5F906A3260CF70AE40DA90

Function 00C14E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C14EDD,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C14EAE
FreeLibrary.KERNEL32(00000000,?,?,00C14EDD,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14EC0

Strings

kernel32.dll, xrefs: 00C14E94
Wow64DisableWow64FsRedirection, xrefs: 00C14EA8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e49798c01fbd1eca6d3d0f9366d2710822753251406b5e696bc540c34346b2cb
Instruction ID: 1fea217f33125edcca3ae138d9685952d82a76406bb3c220bbb8ec9c907af52f
Opcode Fuzzy Hash: e49798c01fbd1eca6d3d0f9366d2710822753251406b5e696bc540c34346b2cb
Instruction Fuzzy Hash: BBE0CD36B015225BD23117257C58BAFA554AF83F667050125FE04D3240DB60CE4154B1

Function 00C14E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C53CDE,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C14E74
FreeLibrary.KERNEL32(00000000,?,?,00C53CDE,?, w,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E87

Strings

kernel32.dll, xrefs: 00C14E5B
Wow64RevertWow64FsRedirection, xrefs: 00C14E6E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d40dd69525ea1dd5c2c29287f2e3630acde5de0f3be1bd3152c34e99027996fb
Instruction ID: 2bb1281f7142238e7de737be0f34ce43d41b2c800ef7d54c26feeba7189872b1
Opcode Fuzzy Hash: d40dd69525ea1dd5c2c29287f2e3630acde5de0f3be1bd3152c34e99027996fb
Instruction Fuzzy Hash: 41D0C2366026235746221B247C08FCFAA18AF83B193050221FA00A3110CF21CE5291E0

Function 00C82947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C82C05
DeleteFileW.KERNEL32(?), ref: 00C82C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C82C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C82CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C82CC0

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: eb845127114b0d746d3fd63bfc50dc44c4ba8943435973d8848701df70430b8a
Instruction ID: ab5c2f6627292c67927536d310c69987a53dc7a462d74883cf571680836fc9e5
Opcode Fuzzy Hash: eb845127114b0d746d3fd63bfc50dc44c4ba8943435973d8848701df70430b8a
Instruction Fuzzy Hash: 72B17D71A00119ABDF25EFA4CC89EEEB7BCEF49314F0040A6F509E6141EA319A449F64

Function 00C9A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00C9A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C9A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C9A468
CloseHandle.KERNEL32(?), ref: 00C9A63D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 827b0be24a20e2fbc4b1b13d51f2516694028fb4e1e322ff4b85cba5091ea873
Instruction ID: f47ebaee279ce20c6e5a25763d6909c04b5f2a91f02a81d2a2e233eaf0217ec6
Opcode Fuzzy Hash: 827b0be24a20e2fbc4b1b13d51f2516694028fb4e1e322ff4b85cba5091ea873
Instruction Fuzzy Hash: 33A1A1716043019FDB20DF28D886F2AB7E5AF84714F14881DF96A9B392DB70ED41DB92

Function 00C7E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C7CF22,?), ref: 00C7DDFD

Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C7CF22,?), ref: 00C7DE16

Part of subcall function 00C7E199: GetFileAttributesW.KERNEL32(?,00C7CF95), ref: 00C7E19A

lstrcmpiW.KERNEL32(?,?), ref: 00C7E473
MoveFileW.KERNEL32(?,?), ref: 00C7E4AC
_wcslen.LIBCMT ref: 00C7E5EB
_wcslen.LIBCMT ref: 00C7E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C7E650

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 201f13a954fad27c1547fa19e06f19b4cf56a90d329e035f152cda862c8e4ea7
Instruction ID: e854ee60e6ac36861f1b441a2c59904627254910c7fe17ea5423966e2dc87c4d
Opcode Fuzzy Hash: 201f13a954fad27c1547fa19e06f19b4cf56a90d329e035f152cda862c8e4ea7
Instruction Fuzzy Hash: 025182B35083455BC724EB90D891ADF73ECAF89340F00891EF699D3191EF74A688D766

Function 00C9B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C9BB63
RegCloseKey.ADVAPI32(?,?), ref: 00C9BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00C9BBB3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 1edc7a8930ca236d3046f05dc5defb0b997134835f7dd97e1862e48aeceb0fe5
Instruction ID: 6f6cdf2643cb2387a79f28f1b1ad3daad3093624fd1e2a53b42dd6ed816a6731
Opcode Fuzzy Hash: 1edc7a8930ca236d3046f05dc5defb0b997134835f7dd97e1862e48aeceb0fe5
Instruction Fuzzy Hash: D561B131208241AFD714DF14C5D4E6ABBE5FF85308F14855CF49A8B2A2DB31ED46DB92

Function 00C78BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C78BCD
VariantClear.OLEAUT32 ref: 00C78C3E
VariantClear.OLEAUT32 ref: 00C78C9D
VariantClear.OLEAUT32(?), ref: 00C78D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C78D3B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c1359f2ca0c33f08e9ccb3bd78714b14a9995078b4b05103e81af0d347c53b2c
Instruction ID: b1abe23b8b4e8dc1ce952cf6fda6d2b313010f12c2762d41a1b27f49aa827e7d
Opcode Fuzzy Hash: c1359f2ca0c33f08e9ccb3bd78714b14a9995078b4b05103e81af0d347c53b2c
Instruction Fuzzy Hash: B7515AB5A0021AEFCB14CF68C894AAAB7F8FF9D314B158559E919DB350E730E911CF90

Function 00C88AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C88BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C88BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C88C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C88C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C88C5F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: fda61db13afc0b5ac79753ab9a50714f4cf7cb63219d268854c85bda92771b8f
Instruction ID: bdc7fbc2dcff219b295016b474f2fc72baf5780d21315524468f0625539b4a98
Opcode Fuzzy Hash: fda61db13afc0b5ac79753ab9a50714f4cf7cb63219d268854c85bda92771b8f
Instruction Fuzzy Hash: F8514D35A002159FCB05DF64C881EADBBF5FF4A314F088458E849AB362DB31ED55EB90

Function 00C98EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C98F40
GetProcAddress.KERNEL32(00000000,?), ref: 00C98FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C98FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00C99032
FreeLibrary.KERNEL32(00000000), ref: 00C99052

Part of subcall function 00C2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C81043,?,753CE610), ref: 00C2F6E6
Part of subcall function 00C2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C6FA64,00000000,00000000,?,?,00C81043,?,753CE610,?,00C6FA64), ref: 00C2F70D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 81b1ca6c8c6a22252653000ffdcf1b044b63b18d7103bcd54be9710145e62ae4
Instruction ID: a8ad85606f93104bda9b585467fe16505e695a43e2987c5681154cc39386a70b
Opcode Fuzzy Hash: 81b1ca6c8c6a22252653000ffdcf1b044b63b18d7103bcd54be9710145e62ae4
Instruction Fuzzy Hash: B0513A35600205DFCB15DF58C4989ADBBF1FF4A314B0480A8E91A9B362DB31EE86DF90

Function 00CA6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CA6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00CA6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CA6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C8AB79,00000000,00000000), ref: 00CA6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CA6CC7

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 7431b0559d88aa7e572abf47625feb42d022e5df2e7057b2c69450c69596d8cb
Instruction ID: fabb9fb7dc11cd06010b933f15b71ec453d4f0f69fe82026282f96f5ecfe4a7c
Opcode Fuzzy Hash: 7431b0559d88aa7e572abf47625feb42d022e5df2e7057b2c69450c69596d8cb
Instruction Fuzzy Hash: 7441D435A04105AFD724DF38CC94FA97BA5EB0B36CF190228F8A5A72E1C771EE40DA50

Function 00C2912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C29141
ScreenToClient.USER32(00000000,?), ref: 00C2915E
GetAsyncKeyState.USER32(00000001), ref: 00C29183
GetAsyncKeyState.USER32(00000002), ref: 00C2919D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c0428757d055ad37b03007490e9f55d15503c98d9ad3a9ddaaee89f549821b6c
Instruction ID: 9dacc6e59ed7bb2fa65dbb122126fdfcaeb5d2635c6a16536231ff5059e6c75d
Opcode Fuzzy Hash: c0428757d055ad37b03007490e9f55d15503c98d9ad3a9ddaaee89f549821b6c
Instruction Fuzzy Hash: 3E415F7190861AABDF159F69D884BEEB774FB06328F204716E439A32D0C7345A50DB91

Function 00C83874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C83922
TranslateMessage.USER32(?), ref: 00C8394B
DispatchMessageW.USER32(?), ref: 00C83955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C83966

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e887c418916292665a58f17da1e37e9e88640ae6f44945564ab405148d25e1c1
Instruction ID: 396f0db20c75396455cb4709baed9ceba361d67a789717ec0c0139a84f5021bb
Opcode Fuzzy Hash: e887c418916292665a58f17da1e37e9e88640ae6f44945564ab405148d25e1c1
Instruction Fuzzy Hash: D231C4709043C19EEB35EB35D888BBA37A8AB05718F08156DE876870E0E7B49B85DB15

Function 00C8CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00C8CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CFF2

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 32b8154d03c4636098de85568f5ae19eed5700335ee0ab49fa0b797a68747af2
Instruction ID: d5f1868f06fd41a5020069fce40b4d6cf5a62c3e7e459896911ebe742689cc31
Opcode Fuzzy Hash: 32b8154d03c4636098de85568f5ae19eed5700335ee0ab49fa0b797a68747af2
Instruction Fuzzy Hash: 2A314A71604205AFEB20EFE5D8C4AAFBBF9EB15359B10442EF616D3150DB30AE41DB64

Function 00C71901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C71915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00C719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C719E2

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8e04a7f14d2d1f2696da8696939f6f345169df97f071ec9970f9d2ef6472a2bf
Instruction ID: d33da82fc581b4ecf88efacc7979625b46d0d479b705b20d83128c60197a5489
Opcode Fuzzy Hash: 8e04a7f14d2d1f2696da8696939f6f345169df97f071ec9970f9d2ef6472a2bf
Instruction Fuzzy Hash: 4C31AD71A00219EFCB10CFACC999BDE3BB5EB45315F148229FE25A72D1C7709A55CB90

Function 00CA5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CA5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CA579D
_wcslen.LIBCMT ref: 00CA57AF
_wcslen.LIBCMT ref: 00CA57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA5816

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: aaebbe025575b96a743e53faa375b62ecf994364ae2d0d0f917f49ea1f9a8c66
Instruction ID: ccdc12899dd236c23d61d852eb723e54197d7a75e03ee72afa841572a262523e
Opcode Fuzzy Hash: aaebbe025575b96a743e53faa375b62ecf994364ae2d0d0f917f49ea1f9a8c66
Instruction Fuzzy Hash: 8B217175914619DADB209FA1CC85AEE77BCFF06728F108216F929EB1C0D7709A85CF50

Function 00C90930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C90951
GetForegroundWindow.USER32 ref: 00C90968
GetDC.USER32(00000000), ref: 00C909A4
GetPixel.GDI32(00000000,?,00000003), ref: 00C909B0
ReleaseDC.USER32(00000000,00000003), ref: 00C909E8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c889d8587108f8c8bf25e82b7d7483836d405551573d10763aac045e565591c5
Instruction ID: 32764b1aac556f408b76e7b936cd15e67fc6c2f11114647279d8e99f7a77e991
Opcode Fuzzy Hash: c889d8587108f8c8bf25e82b7d7483836d405551573d10763aac045e565591c5
Instruction Fuzzy Hash: 3F219335600204AFD704EF65C988BAEBBF9EF45704F148468F85AE7352DB30AD45DB50

Function 00C4CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C4CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C4CDE9

Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C4CE0F
_free.LIBCMT ref: 00C4CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C4CE31

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1e6ff1423602e380e88ed5c00ce5724682d78a10909c2c8163d4757b70054281
Instruction ID: ea07bd886d0eb9c83850cf7348a92847241fb4684646f49fc5c6d31d89eccc87
Opcode Fuzzy Hash: 1e6ff1423602e380e88ed5c00ce5724682d78a10909c2c8163d4757b70054281
Instruction Fuzzy Hash: 280184726032157F276116B76CC8E7F696DFFC7BA53150129F915C7221EF618E0291B0

Function 00C29639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C29693
SelectObject.GDI32(?,00000000), ref: 00C296A2
BeginPath.GDI32(?), ref: 00C296B9
SelectObject.GDI32(?,00000000), ref: 00C296E2

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f0f4e052ee40dca24412d6271d2ef15ca748077e77ae760ca1d974bcc11c6989
Instruction ID: 5f6ac1c31ca30080bd953acf03588565ba5599bb8a7b5e2c625e2bcd9aed6b95
Opcode Fuzzy Hash: f0f4e052ee40dca24412d6271d2ef15ca748077e77ae760ca1d974bcc11c6989
Instruction Fuzzy Hash: 3A218030802355EBDB119F25FC88BAD3BB8FB01315F140216F820AB1B2D37499A1CF90

Function 00C75711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C75726
_memcmp.LIBVCRUNTIME ref: 00C75744
_memcmp.LIBVCRUNTIME ref: 00C75757
_memcmp.LIBVCRUNTIME ref: 00C7576F
_memcmp.LIBVCRUNTIME ref: 00C75787

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b37fcbc03c6e163636846b32fa46487886925fcfa423922f9029b60c270bfd1c
Instruction ID: 5f1365d5740565f059f276c94699a8967c8861ecb13e1517458d30e1feccc306
Opcode Fuzzy Hash: b37fcbc03c6e163636846b32fa46487886925fcfa423922f9029b60c270bfd1c
Instruction Fuzzy Hash: BC01B5A166160ABFE21C55529D82FBB735C9B213A8F048034FD1C9A241F7B1EE5196B0

Function 00C7000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?,?,00C7035E), ref: 00C7002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?), ref: 00C70064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70070

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ee660adf0c313c44579a228422833e6a8b96572f4007c1e6c2da50107195b175
Instruction ID: 14162b03d2dc074b54f4ff1eb9af76beef692ffff95eb12ac3eb8bce7b676739
Opcode Fuzzy Hash: ee660adf0c313c44579a228422833e6a8b96572f4007c1e6c2da50107195b175
Instruction Fuzzy Hash: 0F018F72600204FFDB104F69DC48BAE7BEDEB44766F248124F909D3210D779DE409BA0

Function 00C7E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C7E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00C7E9A5
Sleep.KERNEL32(00000000), ref: 00C7E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00C7E9B7
Sleep.KERNEL32 ref: 00C7E9F3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 829d73f68c671ae9f6c23f989a63d9913a920420df60f085f44ec2929094de10
Instruction ID: 4e18c7f28a7ef5cdf624d1fe8092a59fed739ee978d7bf2840c80478ca3c481b
Opcode Fuzzy Hash: 829d73f68c671ae9f6c23f989a63d9913a920420df60f085f44ec2929094de10
Instruction Fuzzy Hash: D6011732D01629DBCF00ABE5D899BEDBB78BF0E701F004596EA16B2251CB349655CBA1

Function 00C710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C71114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C7112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7114D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 44d01111d23d7106b58d3e67612ab5314162627c8dec4f164e52cf41d2c5e68c
Instruction ID: ff8d790bba3247bf815beb54ce1f44f01da9292ad32f034bfd7dcd0b6041220c
Opcode Fuzzy Hash: 44d01111d23d7106b58d3e67612ab5314162627c8dec4f164e52cf41d2c5e68c
Instruction Fuzzy Hash: 54011975200205BFDB114FA9DC89B6E3B6EEF8A3A4B644419FA45D7360DA31DD109A60

Function 00C70FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C70FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C70FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C70FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C70FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C71002

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c5c51e00411270c52d295d2499a871057943dbe585881e6fe411e4c1b0c740ca
Instruction ID: 0413710c090de4d678ba7d218d2809fc4356613b905069b55a6431b558c9d188
Opcode Fuzzy Hash: c5c51e00411270c52d295d2499a871057943dbe585881e6fe411e4c1b0c740ca
Instruction Fuzzy Hash: F6F04935200301AFDB214FA89C89F9A3BADEF8A766F144414FA49C7251DE70DC508A60

Function 00C71014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C7102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C71036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71062

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cf7a583c2cbfc6dad122758e9660c36bdc6152b19820f59e80ea34dccf2a7663
Instruction ID: f3cc19f1bd147346447bacb805fd39bfc7da7f92b008879763cb19203e3440df
Opcode Fuzzy Hash: cf7a583c2cbfc6dad122758e9660c36bdc6152b19820f59e80ea34dccf2a7663
Instruction Fuzzy Hash: B7F06D35200301FBDB215FA8EC89F9A3BADEF8A765F144414FE49C7250DE70D9508A60

Function 00C8030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80324
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80331
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C8033E
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C8034B
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80358
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80365

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 15bc48ef4fc0762d5dbef3ef42710a45e58db3678c8162e4c127d493377dd3e4
Instruction ID: 2a60ff37e9850cc93963563cb14e4113a762db26c58cf2a8275f37eb79bb5b52
Opcode Fuzzy Hash: 15bc48ef4fc0762d5dbef3ef42710a45e58db3678c8162e4c127d493377dd3e4
Instruction Fuzzy Hash: 30019072801B159FCB30AF66D880416F7F5BF602193258A3ED1A652931C771AA58DF84

Function 00C4D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C4D752

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C4D764
_free.LIBCMT ref: 00C4D776
_free.LIBCMT ref: 00C4D788
_free.LIBCMT ref: 00C4D79A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: defb73ef8943c9e2dfaf6213f52cf4238d4ed9aa37333cc01ba136eee1ebf9a0
Instruction ID: 8059b41ae8f84a4d39d99ac8b9141c427788b722ee677d237092993823095de5
Opcode Fuzzy Hash: defb73ef8943c9e2dfaf6213f52cf4238d4ed9aa37333cc01ba136eee1ebf9a0
Instruction Fuzzy Hash: CDF09032541205AB8621FB69F9C2E1A7BDDBB04320BE40C06F05AE7546CB30FC80DA60

Function 00C75C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C75C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C75C6F
MessageBeep.USER32(00000000), ref: 00C75C87
KillTimer.USER32(?,0000040A), ref: 00C75CA3
EndDialog.USER32(?,00000001), ref: 00C75CBD

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 00d179fba3f3835c3bc3a8e705b708139bbe7e48329188c35ddf770ca150daba
Instruction ID: 79400189d0d61fe3c6fe03756fa5865c5029b728fa854ac18697ca79ea441419
Opcode Fuzzy Hash: 00d179fba3f3835c3bc3a8e705b708139bbe7e48329188c35ddf770ca150daba
Instruction Fuzzy Hash: F401A430500B04ABEB219B11DD8EFEA77B8BF05B09F044559B597A20E1DBF0AA84CB90

Function 00C422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C422BE

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C422D0
_free.LIBCMT ref: 00C422E3
_free.LIBCMT ref: 00C422F4
_free.LIBCMT ref: 00C42305

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0a0586d1d3f7f103e70acfd57ec8bbbae2bc40712f664e8eb7d0c05fd380f512
Instruction ID: 66c842e4adb97cf9d2489d04107457dd67596ea345800028d12b437593d7d792
Opcode Fuzzy Hash: 0a0586d1d3f7f103e70acfd57ec8bbbae2bc40712f664e8eb7d0c05fd380f512
Instruction Fuzzy Hash: ECF05E708011A19B9A22AF95BC83B0C3B68F728770794050BF810DE2B1C7715962FFE4

Function 00C295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C295D4
StrokeAndFillPath.GDI32(?,?,00C671F7,00000000,?,?,?), ref: 00C295F0
SelectObject.GDI32(?,00000000), ref: 00C29603
DeleteObject.GDI32 ref: 00C29616
StrokePath.GDI32(?), ref: 00C29631

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e6d2a022b37d685a43a42dafe7ba8c0cf91592e152d7d9d54f808c2efe3252e3
Instruction ID: 66c4a864678db802bce69f763be00c7b36f9d01d7e6a2709e031545fcc17929b
Opcode Fuzzy Hash: e6d2a022b37d685a43a42dafe7ba8c0cf91592e152d7d9d54f808c2efe3252e3
Instruction Fuzzy Hash: 60F03C30005244EBDB125F65ED9C7AC3BA1EB02326F088224F9255A4F2CB348AA1DF20

Function 00C40F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C410F9
__freea.LIBCMT ref: 00C41117

Part of subcall function 00C41537: _free.LIBCMT ref: 00C4154F

Strings

am/pm, xrefs: 00C4117A
a/p, xrefs: 00C411DE

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ffd513e567bdef884e48b25a0bd0795b0b8efa3f593113199d7ad124c9021967
Instruction ID: 4215e8cc08471393e90bb90a8fec2391b4cc92512362a0e15fc1e021f168f297
Opcode Fuzzy Hash: ffd513e567bdef884e48b25a0bd0795b0b8efa3f593113199d7ad124c9021967
Instruction Fuzzy Hash: 83D10331A10246CADB289F69C855BFEBBB0FF05710F2C4119EDA1AB661D3759EC0CB91

Function 00C72716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721D0,?,?,00000034,00000800,?,00000034), ref: 00C7B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C72760

Part of subcall function 00C7B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C7B3F8

Part of subcall function 00C7B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C7B355
Part of subcall function 00C7B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C72194,00000034,?,?,00001004,00000000,00000000), ref: 00C7B365
Part of subcall function 00C7B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C72194,00000034,?,?,00001004,00000000,00000000), ref: 00C7B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C7281A

Strings

@, xrefs: 00C72832

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e4fec153c75e038a8380873b3ae54fe67aeaaffa9ee466d122e5e3eb61e1f8a6
Instruction ID: b2d28a0531a3230f6ece25e137f0c2d5d4ed08069f3e59f59f9495ceeba29fe2
Opcode Fuzzy Hash: e4fec153c75e038a8380873b3ae54fe67aeaaffa9ee466d122e5e3eb61e1f8a6
Instruction Fuzzy Hash: 70411D72900218AFDB10DBA4CD85BDEBBB8AF05700F108095FA59B7191DB716F85DBA1

Function 00C4172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00C41769
_free.LIBCMT ref: 00C41834
_free.LIBCMT ref: 00C4183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00C41760, 00C41767, 00C41796, 00C417CE

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 60b0ae86e996e5c41a4bef042ade8e5841648a69fc9cdf8007a25c28d73a684b
Instruction ID: 822b92ce9563a0c3a8b11bb7eace1235aa42da7108b81c156af849da92989621
Opcode Fuzzy Hash: 60b0ae86e996e5c41a4bef042ade8e5841648a69fc9cdf8007a25c28d73a684b
Instruction Fuzzy Hash: 1A318D71A00258ABDB21DF9ADC81E9EBBFCFB85310B194166FD549B251D6708A80DBA0

Function 00CA4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CACC08,00000000,?,?,?,?), ref: 00CA44AA
GetWindowLongW.USER32 ref: 00CA44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA44D7

Strings

SysTreeView32, xrefs: 00CA447C

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2cbc6f3cb31ee3d1ac85d592d30721fb79e40830d1655eeed6da7c5ea3b57530
Instruction ID: 13f27307429f8300f17e72fd810abf7ca87c7068a955f46f006db778f1ea0a93
Opcode Fuzzy Hash: 2cbc6f3cb31ee3d1ac85d592d30721fb79e40830d1655eeed6da7c5ea3b57530
Instruction Fuzzy Hash: B8319E31210606AFDB248F78DC85BEA77A9EB4A338F204725F975931E0D7B0ED509B50

Function 00C9304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C93077,?,?), ref: 00C93378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C9307A
_wcslen.LIBCMT ref: 00C9309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00C93106

Strings

255.255.255.255, xrefs: 00C93095, 00C9309A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6700053ab4bd15b74e2493be6521c353358a1ffcf813e85e28bc72f9b46bd0ce
Instruction ID: 7c72c338673c71e96cb1f925612ae64421c5fc31e1430f612b9f0be7181cb01f
Opcode Fuzzy Hash: 6700053ab4bd15b74e2493be6521c353358a1ffcf813e85e28bc72f9b46bd0ce
Instruction Fuzzy Hash: 5B31B2352002819FCF20CF69C589AAA77E0EF55318F248059E9258B3A2D731EF45C760

Function 00CA3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CA3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CA3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA3F78

Strings

SysMonthCal32, xrefs: 00CA3F0B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b2b9cbcffe0b8d39b1bd303d3441ed9b954683a0a63ee82167f4e55b2cfddde0
Instruction ID: bc13426f21aaf9ab97688faf4aaea3d37672c61a728a427cf679cc47f78f0d60
Opcode Fuzzy Hash: b2b9cbcffe0b8d39b1bd303d3441ed9b954683a0a63ee82167f4e55b2cfddde0
Instruction Fuzzy Hash: 1621AB3261025ABFDF218E90CC86FEE3B79EB49718F110254FA156B1D0D6B1AD909BA0

Function 00CA4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CA4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CA4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CA471A

Strings

msctls_updown32, xrefs: 00CA4684

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6a0efa6eb90c4af59000b72789fab19e8329d80d0f338ac247f84b64903a538a
Instruction ID: e1aea0e555df983eae506241229a44350f5d1eb0e008af96056286ec76757be4
Opcode Fuzzy Hash: 6a0efa6eb90c4af59000b72789fab19e8329d80d0f338ac247f84b64903a538a
Instruction Fuzzy Hash: 38214FB5600245AFDB14DF68DCC1EAB37ADEB8B3A8B040059FA109B261DB70ED51DB60

Function 00C795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C7961D

Strings

#OnAutoItStartRegister, xrefs: 00C795F3
#requireadmin, xrefs: 00C795D9
#notrayicon, xrefs: 00C795B7

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: edd87ebb112eff2d91c7dcbc53afa3748d13cb5ada26cf7365379eb616807fb9
Instruction ID: c2ea28e91db22af7f4fcb748357ffb6975dda1308749e840ba750ca560612e14
Opcode Fuzzy Hash: edd87ebb112eff2d91c7dcbc53afa3748d13cb5ada26cf7365379eb616807fb9
Instruction Fuzzy Hash: F0215B7210422166C371AB259C02FF773E8DF52314F10C13AF95D97181EB71AE86E2D5

Function 00CA37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CA3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CA3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CA3876

Strings

Listbox, xrefs: 00CA380F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c60cbb18111247e77ab5b07601fcda51528f1cf76cca9d2d47d17eea019c18ca
Instruction ID: 17899ca5fa4353bf6f55f89fa64d045bd2458aa3816011b3a6176a9ddf4df162
Opcode Fuzzy Hash: c60cbb18111247e77ab5b07601fcda51528f1cf76cca9d2d47d17eea019c18ca
Instruction Fuzzy Hash: AC21C272600119BBEF218F54CC85FBB376EEF8A758F118125F9109B190CA75DD51C7A0

Function 00C849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C84A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C84A5C
SetErrorMode.KERNEL32(00000000,?,?,00CACC08), ref: 00C84AD0

Strings

%lu, xrefs: 00C84A6F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 29d89d47d3cd080e038d853636290b10e3d0eb43b76d76e72d5b9f7d8af1dcd5
Instruction ID: a557e7babadff5fc9092584acdd8de989e9fba5c85535b5ff865d84a37e55b50
Opcode Fuzzy Hash: 29d89d47d3cd080e038d853636290b10e3d0eb43b76d76e72d5b9f7d8af1dcd5
Instruction Fuzzy Hash: 36315E75A00109AFDB14DF54C885EAE7BF8EF09308F1480A9E909DB252DB71EE46DB61

Function 00CA41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CA424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CA4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CA4271

Strings

msctls_trackbar32, xrefs: 00CA4226

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5aa600152367356e2ede077d37cb59a075bda46441984a127acf3d50623a6aee
Instruction ID: c3c91cd1fa7115da5232395447d35d21ac2e62a0257276e15e325f07cca1561f
Opcode Fuzzy Hash: 5aa600152367356e2ede077d37cb59a075bda46441984a127acf3d50623a6aee
Instruction Fuzzy Hash: E8110631240249BEEF205F69CC46FAB3BACEFC6B58F010224FA55E6090D6B1DC519B50

Function 00C72F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

Part of subcall function 00C72DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C72DC5
Part of subcall function 00C72DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C72DD6
Part of subcall function 00C72DA7: GetCurrentThreadId.KERNEL32 ref: 00C72DDD
Part of subcall function 00C72DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C72DE4

GetFocus.USER32 ref: 00C72F78

Part of subcall function 00C72DEE: GetParent.USER32(00000000), ref: 00C72DF9

GetClassNameW.USER32(?,?,00000100), ref: 00C72FC3
EnumChildWindows.USER32(?,00C7303B), ref: 00C72FEB

Strings

%s%d, xrefs: 00C72FFF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0902b07d11f373bd931e906b3052739578e2f31c172ed499bb9b0c5c44c16b84
Instruction ID: 3fd97b0e481e9e01e0beb031794a31dcd94ebfad357d2da23b2bd66543bd663e
Opcode Fuzzy Hash: 0902b07d11f373bd931e906b3052739578e2f31c172ed499bb9b0c5c44c16b84
Instruction Fuzzy Hash: 2F11B471600205ABCF14BF708CC5FEE376AAF95314F048079F90D9B252DE309A45EB60

Function 00CA5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CA58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CA58EE
DrawMenuBar.USER32(?), ref: 00CA58FD

Strings

0, xrefs: 00CA588F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: e958a84c9764a40552f143b71567413cac2222a4e650dd359fc17c9f70ee60e9
Instruction ID: 4f8fa94b027908ede11150ec3e534b7a28ecf11b31853a91f80b7293cfa3e2d8
Opcode Fuzzy Hash: e958a84c9764a40552f143b71567413cac2222a4e650dd359fc17c9f70ee60e9
Instruction Fuzzy Hash: E5015B31500219EEDB219F61EC44BAFBBB4FF46364F10C0A9F849DA151DB308A85EF21

Function 00C7007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede8fb18de77df23ab8ae2999d189d11258ceb8fc21b094576a4f3cd382b740b
Instruction ID: bf810367d669ce40de15895ab143b7f237fefd1aca62a5aecf7d7ccc6cb716c3
Opcode Fuzzy Hash: ede8fb18de77df23ab8ae2999d189d11258ceb8fc21b094576a4f3cd382b740b
Instruction Fuzzy Hash: A6C14D75A00206EFDB14CFA4C898BAEB7B5FF48714F208598E519EB261D731DE81CB90

Function 00C43E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C43F0B
__alldvrm.LIBCMT ref: 00C4410C
__alldvrm.LIBCMT ref: 00C4412E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 0c4033bfdd9cca15180385251f3e7b1dc8a68c4bb808a8478c5af98e35f6fc46
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: ADA18B75D003869FEB29CF58C8817AEBBF4FF61350F2841ADE9959B281C6348E85C750

Function 00C9342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C93459
CoUninitialize.OLE32 ref: 00C93463
VariantInit.OLEAUT32(?), ref: 00C9346E
VariantClear.OLEAUT32(?), ref: 00C9371B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3487feee87f4f9eba0da3e8f6cf728e08b691f0f79bcbd75fd21afd92649544f
Instruction ID: 0a880b63225cc5ee6db78206bd95c1f970449a4d0b578d38ecb71c05fdcef19f
Opcode Fuzzy Hash: 3487feee87f4f9eba0da3e8f6cf728e08b691f0f79bcbd75fd21afd92649544f
Instruction Fuzzy Hash: 40A15A752043009FCB10DF28C489A6AB7E5FF89714F048959F98A9B362DB30EE41DB92

Function 00C70436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CAFC08,?), ref: 00C705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CAFC08,?), ref: 00C70608
CLSIDFromProgID.OLE32(?,?,00000000,00CACC40,000000FF,?,00000000,00000800,00000000,?,00CAFC08,?), ref: 00C7062D
_memcmp.LIBVCRUNTIME ref: 00C7064E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e64b1e4f90e53f55f6a35d9779c49738373131b1acf5592c6102a0aeb1ee6225
Instruction ID: d2c11210e41d68fbecff97b9810cac46a5c31fa2006d8340d8b963adebdbb28d
Opcode Fuzzy Hash: e64b1e4f90e53f55f6a35d9779c49738373131b1acf5592c6102a0aeb1ee6225
Instruction Fuzzy Hash: D3810971A00109EFCB04DF94C998EEEB7B9FF89315F208558F516AB250DB71AE46CB60

Function 00C9A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C9A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00C9A6BA

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Process32NextW.KERNEL32(00000000,?), ref: 00C9A79C
CloseHandle.KERNEL32(00000000), ref: 00C9A7AB

Part of subcall function 00C2CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C53303,?), ref: 00C2CE8A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 90f73a9e9189488d412237ac539b229dce534d671b451239d280ccbfcd7afae2
Instruction ID: 87d1226208ae7f8bd34dadf69b56f9e7adfb33f89a69ddd7400186edd0b8f14f
Opcode Fuzzy Hash: 90f73a9e9189488d412237ac539b229dce534d671b451239d280ccbfcd7afae2
Instruction Fuzzy Hash: 95517D71508300AFD710EF24D886AAFBBE8FF89754F00891DF595972A1EB30D945DB92

Function 00C51391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C514C0

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 202f1adb915a4de4db2c3fb91fbe65e724c528b3bbc589a3c1b8cc006017cd7b
Instruction ID: 5aba925abd29f8beb4077d3c7ccf33ebe6c27fb98ab8e71e92c3c91ed112a8aa
Opcode Fuzzy Hash: 202f1adb915a4de4db2c3fb91fbe65e724c528b3bbc589a3c1b8cc006017cd7b
Instruction Fuzzy Hash: BC413C39A00110ABDB216BBA9C4DBBF3AA4FF41371F1C0625FC29D6192E77489C56276

Function 00CA6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CA62E2
ScreenToClient.USER32(?,?), ref: 00CA6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CA6382

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a97181196f1b3e8a26497a8d511912e8aadd9b1969062061d88956b25cfcd7a1
Instruction ID: 7c5481b3c9d010ec1862a5c2c3e03ba74026578e7a048f2aab3d6e9a6eac37b5
Opcode Fuzzy Hash: a97181196f1b3e8a26497a8d511912e8aadd9b1969062061d88956b25cfcd7a1
Instruction Fuzzy Hash: 8951417490124AEFCF10DF54D880AAE7BB5FF56368F148259F9259B2A0D730EE51CB50

Function 00C91AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C91AFD
WSAGetLastError.WSOCK32 ref: 00C91B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C91B8A
WSAGetLastError.WSOCK32 ref: 00C91B94

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: c054e288ad98910b18d739ad44aff3cf7201089b1f26e8c4f1f60a03a8841f86
Instruction ID: 200a00f94d3c221fcf719407d7fbe7620feca400b7ee2ad86a27c9b7f1505161
Opcode Fuzzy Hash: c054e288ad98910b18d739ad44aff3cf7201089b1f26e8c4f1f60a03a8841f86
Instruction Fuzzy Hash: D641F5746002016FDB20AF24C88AF6977E1AB45708F54C448F9258F7D3D772ED82DB90

Function 00C4B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c174c1ca4a87bc5859a5b10163de4c08073e2412e0b7d22c9d0a195126af4e80
Instruction ID: 5c3bed0bbec07413a6630b1b4caa5487d81512a8c1155c84c4619ed77afa16c5
Opcode Fuzzy Hash: c174c1ca4a87bc5859a5b10163de4c08073e2412e0b7d22c9d0a195126af4e80
Instruction Fuzzy Hash: 32412475A00304AFD7259F38CC46BAABBE9FB88720F10852EF515DB282D371DE419790

Function 00C856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C85783
GetLastError.KERNEL32(?,00000000), ref: 00C857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C857FA

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b745f6ecd1ce92455132ba17ead7a92a9a90db42cdbb7110dc79fb12ff503a22
Instruction ID: b62ff9f39496fa147d669e71d7d45dc89315c49291536f1921365bbb27e3fcce
Opcode Fuzzy Hash: b745f6ecd1ce92455132ba17ead7a92a9a90db42cdbb7110dc79fb12ff503a22
Instruction Fuzzy Hash: 48414F35600610DFCB11EF15C484A5DBBF2EF4A324B18C488E85A9B362CB70FD41EB91

Function 00C4D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C36D71,00000000,00000000,00C382D9,?,00C382D9,?,00000001,00C36D71,8BE85006,00000001,00C382D9,00C382D9), ref: 00C4D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C4D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C4D9AB
__freea.LIBCMT ref: 00C4D9B4

Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: d19955e6e9c138387eb7ebee117a1e13bb3ccaa1d55b1c41225a1b726c10049e
Instruction ID: c93c7a0e11b1334ce12a8181bebb36c02fad338d2685c12c2fb0f968acf626d0
Opcode Fuzzy Hash: d19955e6e9c138387eb7ebee117a1e13bb3ccaa1d55b1c41225a1b726c10049e
Instruction Fuzzy Hash: A231DE72A1020AABDF24AF65DC85EEE7BA5FB51310F050168FC15D7290EB35DE50DB90

Function 00CA52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00CA5352
GetWindowLongW.USER32(?,000000F0), ref: 00CA5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CA53A8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 7d05e8e90c5006e27f1cf6129591d755fbaa0a51a349ca00936746477d49090a
Instruction ID: f0fad2c10934fefcdd0aae7eebcbaf5fbcc273d8a1ac05b352171d69e40819e6
Opcode Fuzzy Hash: 7d05e8e90c5006e27f1cf6129591d755fbaa0a51a349ca00936746477d49090a
Instruction Fuzzy Hash: AD31E234A57A0AFFEF309A15CC45BEC3761AB87398F588101FA21961F1C7B09A80EB41

Function 00C7AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00C7ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C7AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C7AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00C7ACC6

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a7ab3594870e0c8c4a3c93b17813048f5bc5257581671959f7fa0a1e9b66a305
Instruction ID: b3f9143d2b2186561e2d54f2534493dc4c123f564b605f5d3111d0dba9b645a9
Opcode Fuzzy Hash: a7ab3594870e0c8c4a3c93b17813048f5bc5257581671959f7fa0a1e9b66a305
Instruction Fuzzy Hash: 52310970A007187FEF36CB658C05BFE7BA5ABC5320F04C31AE4A9921D1C3768A859752

Function 00CA7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CA769A
GetWindowRect.USER32(?,?), ref: 00CA7710
PtInRect.USER32(?,?,00CA8B89), ref: 00CA7720
MessageBeep.USER32(00000000), ref: 00CA778C

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 95e01629bd60ac802e9d681ae4d4d8956edf324f3211574d54fd8d5b44802ee2
Instruction ID: 916cd8716ca0d9715b43372b60c2964471753130a24048519294b66dadcd353c
Opcode Fuzzy Hash: 95e01629bd60ac802e9d681ae4d4d8956edf324f3211574d54fd8d5b44802ee2
Instruction Fuzzy Hash: 97417F34605256DFCB02CF58CD98FAD77F5BB4A318F1942A8E824DB261D730AA41CB90

Function 00CA16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CA16EB

Part of subcall function 00C73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C73A57
Part of subcall function 00C73A3D: GetCurrentThreadId.KERNEL32 ref: 00C73A5E
Part of subcall function 00C73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C725B3), ref: 00C73A65

GetCaretPos.USER32(?), ref: 00CA16FF
ClientToScreen.USER32(00000000,?), ref: 00CA174C
GetForegroundWindow.USER32 ref: 00CA1752

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 01fc46f9a05f9b88213afbfd0f2c3a1950afcc48f7149e83ea338264a8dae047
Instruction ID: d6c779cf39b1c52c281bbab8948a8c185a6c71c0e6ebfc01379a1fa6b6522880
Opcode Fuzzy Hash: 01fc46f9a05f9b88213afbfd0f2c3a1950afcc48f7149e83ea338264a8dae047
Instruction Fuzzy Hash: 7031FD75D00249AFD704EFA9C8C19EEBBF9EF49308B5480AAE415E7211DB319E45DBA0

Function 00C7DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625

_wcslen.LIBCMT ref: 00C7DFCB
_wcslen.LIBCMT ref: 00C7DFE2
_wcslen.LIBCMT ref: 00C7E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C7E018

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 2d71594489efdf2a5d2b9d641ab2a516d921e724dbd216af3a29278010d5b877
Instruction ID: 5abaf32e406a5420227cd1b86923abb9598fc132f939ffb733b79c7b86c9c293
Opcode Fuzzy Hash: 2d71594489efdf2a5d2b9d641ab2a516d921e724dbd216af3a29278010d5b877
Instruction Fuzzy Hash: BA21C772900214EFCB10DFA8D982BAEB7F8EF49760F148065F819BB241D6709E41DBE1

Function 00CA8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

GetCursorPos.USER32(?), ref: 00CA9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C67711,?,?,?,?,?), ref: 00CA9016
GetCursorPos.USER32(?), ref: 00CA905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C67711,?,?,?), ref: 00CA9094

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 803c39e579731314999c0377900d58c7e5d3ed6999ed5b7c45563e24d8f2795b
Instruction ID: d16e7304fe97b12b47aca78934da05bad66936fba52a5ceb43d12aeab56d99d0
Opcode Fuzzy Hash: 803c39e579731314999c0377900d58c7e5d3ed6999ed5b7c45563e24d8f2795b
Instruction Fuzzy Hash: 6921A135600018EFCB258F94DC99FFE7BB9EF4A3A4F144055F9154B261C7319AA0EB60

Function 00C7D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CACB68), ref: 00C7D2FB
GetLastError.KERNEL32 ref: 00C7D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C7D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CACB68), ref: 00C7D376

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0c15dcf6533da39e3085e257879be1df072d4a0061adcd4e539a1a1024036dd7
Instruction ID: ac77682855c7eb104361a0e7742cdb78c686970b160e0ac272bc32bdb89ae22d
Opcode Fuzzy Hash: 0c15dcf6533da39e3085e257879be1df072d4a0061adcd4e539a1a1024036dd7
Instruction Fuzzy Hash: CD219F705092019F8700DF28C8819AE7BF4EF56328F108A1DF4AAC32A1DB31DA46DB93

Function 00C71571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C7102A
Part of subcall function 00C71014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C71036
Part of subcall function 00C71014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71045
Part of subcall function 00C71014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7104C
Part of subcall function 00C71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C715BE
_memcmp.LIBVCRUNTIME ref: 00C715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C71617
HeapFree.KERNEL32(00000000), ref: 00C7161E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d6d2ca9dd2a555ebc30b5fb553a8d4a6b1ab718da199b27bf0e4f90ff8e7f497
Instruction ID: 07b21b558c197a208dc36e6c5471785f229b340281421504dca6ba1966a62f09
Opcode Fuzzy Hash: d6d2ca9dd2a555ebc30b5fb553a8d4a6b1ab718da199b27bf0e4f90ff8e7f497
Instruction Fuzzy Hash: CD219D31E00108EFDF14DFA8C985BEEB7B8EF44354F188459E859AB241E730AA05DBA0

Function 00CA2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CA280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CA2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CA2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CA2840

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ff1a11cb4a82c7c42676385bc5fedd32eeb50fa1734216111c8c6fe3f4571e32
Instruction ID: 6671f2331eb03a1e6f7fdbeb2e848616b406083dcd89925dd82a6f7bb67b51f9
Opcode Fuzzy Hash: ff1a11cb4a82c7c42676385bc5fedd32eeb50fa1734216111c8c6fe3f4571e32
Instruction Fuzzy Hash: FA21D631604522AFD714DB28C884FAA7795EF47328F148158F426CB6D2CB75FD82DB90

Function 00C778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C78D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C7790A,?,000000FF,?,00C78754,00000000,?,0000001C,?,?), ref: 00C78D8C
Part of subcall function 00C78D7D: lstrcpyW.KERNEL32(00000000,?,?,00C7790A,?,000000FF,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C78DB2
Part of subcall function 00C78D7D: lstrcmpiW.KERNEL32(00000000,?,00C7790A,?,000000FF,?,00C78754,00000000,?,0000001C,?,?), ref: 00C78DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C77923
lstrcpyW.KERNEL32(00000000,?,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C77949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C77984

Strings

cdecl, xrefs: 00C7797B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 24ad45557f9e7a8b88822bbf895666b1f0fd8c96d3b9e8729fd126da7197a100
Instruction ID: 8b87fec604eb9bd397d83c8baa95700937b369a87ceedab6194062f441cd6345
Opcode Fuzzy Hash: 24ad45557f9e7a8b88822bbf895666b1f0fd8c96d3b9e8729fd126da7197a100
Instruction Fuzzy Hash: 9611293A201306ABCF156F34D844E7B77A5FF95354B00812EFA0AC7264EF319901D791

Function 00CA7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CA7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CA7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CA7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C8B7AD,00000000), ref: 00CA7D6B

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 0ce250b49e09785377fd73658393102a587b5e8fbcc489d68604da372d36cb62
Instruction ID: 8fc06cfc7570fb31406786ef29b5bf6fdac610739d85875fee2a74bb705575ca
Opcode Fuzzy Hash: 0ce250b49e09785377fd73658393102a587b5e8fbcc489d68604da372d36cb62
Instruction Fuzzy Hash: 8A117232A05666AFCB109F28DC44BAA3BA5BF46378B154724FC35DB2F0D7309A61DB50

Function 00CA5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00CA56BB
_wcslen.LIBCMT ref: 00CA56CD
_wcslen.LIBCMT ref: 00CA56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA5816

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 6ec7bb21334df91f0bc97f58413d40fbccd8353a0899db1e8c5f336ecb244c3d
Instruction ID: 42b1f66983af257edb860582573f3a0c33b2f94e3f8b17e1614197cc6b18c95c
Opcode Fuzzy Hash: 6ec7bb21334df91f0bc97f58413d40fbccd8353a0899db1e8c5f336ecb244c3d
Instruction Fuzzy Hash: 0F11D67161060696DF20DFA1CC85BEE777CFF16768F108026F915D6181EB70DA84CB64

Function 00C41D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9208ab149a415dd6bec1d6a229db55b50f14a30ed053f2a350817f6aba428f79
Instruction ID: 9075460735c783393df60c030169f8fa17577131668e468f6c3cb28cbe572954
Opcode Fuzzy Hash: 9208ab149a415dd6bec1d6a229db55b50f14a30ed053f2a350817f6aba428f79
Instruction Fuzzy Hash: 2D0162F2A0561A7EF6122A796CC1F6B661DFF513B8B380325F971511D2DB709D805170

Function 00C71A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C71A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C71A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C71A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C71A8A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a196a008e0c3c052f4c139452cae163117fb30130b9eeae20d9096db1db0de60
Instruction ID: f6e7898f527be73c3e4cf92757fc2ee7a15e1534ebfb2cb59f9cad27c998c0cb
Opcode Fuzzy Hash: a196a008e0c3c052f4c139452cae163117fb30130b9eeae20d9096db1db0de60
Instruction Fuzzy Hash: 80113C3AD01219FFEB10DBA9CD85FADBB78EB04750F244091EA04B7290D6716F50EB94

Function 00C7E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C7E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00C7E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C7E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C7E24D

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: df03e39e71391a12fcb1e50cd7e29230fb3d258fadb246641a7ea3808403ca58
Instruction ID: cbc07bc6691a5328735b001323400aac0395463f26ccec592543d149efa3a5f8
Opcode Fuzzy Hash: df03e39e71391a12fcb1e50cd7e29230fb3d258fadb246641a7ea3808403ca58
Instruction Fuzzy Hash: B411DB76A04258BBC7019FA89C49BDF7FAD9B45324F148255F929D7291D670CE0487A0

Function 00C3D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C3CFF9,00000000,00000004,00000000), ref: 00C3D218
GetLastError.KERNEL32 ref: 00C3D224
__dosmaperr.LIBCMT ref: 00C3D22B
ResumeThread.KERNEL32(00000000), ref: 00C3D249

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d23917b1d61295f8aaf363ef021270cbffb0bb7a592a21814d5d14185329e032
Instruction ID: b959118ee4db5718603a897211dc6d413b03ab367672c10380d8451c6f93117f
Opcode Fuzzy Hash: d23917b1d61295f8aaf363ef021270cbffb0bb7a592a21814d5d14185329e032
Instruction Fuzzy Hash: C601F976825104BBCB115BA6EC45BAF7A6DDF82731F100219F936921D0CF72CD01D7A0

Function 00CA9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

GetClientRect.USER32(?,?), ref: 00CA9F31
GetCursorPos.USER32(?), ref: 00CA9F3B
ScreenToClient.USER32(?,?), ref: 00CA9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00CA9F7A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5a5914165a21a506a7864678fe205424a945c46653053709a7206b0f14d61f68
Instruction ID: fcef0515bffe715831334f6811d2ed116d3315dd563ec631a2084cd9e1bcc205
Opcode Fuzzy Hash: 5a5914165a21a506a7864678fe205424a945c46653053709a7206b0f14d61f68
Instruction Fuzzy Hash: DA11453290015AAFDF10DFA8DC8AAEE77B8FB06319F000451FA11E3140D330BA91DBA1

Function 00C1600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C1604C
GetStockObject.GDI32(00000011), ref: 00C16060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C1606A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 535bddd5a0b0fd4c84b27ddfb899b0cc6f5b9194249d331a68f4e02c35e21ea0
Instruction ID: db94eb2746635087707f027d907d1bb99daabacde9cdfb2a2ea40a8686e45d83
Opcode Fuzzy Hash: 535bddd5a0b0fd4c84b27ddfb899b0cc6f5b9194249d331a68f4e02c35e21ea0
Instruction Fuzzy Hash: 55115E72501548BFEF128F949C84BEEBF69EF0E358F040115FA1452110DB329DA0EB94

Function 00C33B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C33B56

Part of subcall function 00C33AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C33AD2
Part of subcall function 00C33AA3: ___AdjustPointer.LIBCMT ref: 00C33AED

_UnwindNestedFrames.LIBCMT ref: 00C33B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C33B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C33BA4

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 22a1d1d0223eb439dab6f8f5905e4b12e6dcb7cab1c021a52640b76a3cb47196
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 89010C32110189BBDF125E95CC46EEB7F6EEF58758F044014FE58A6121C736E961EBA0

Function 00C43073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C113C6,00000000,00000000,?,00C4301A,00C113C6,00000000,00000000,00000000,?,00C4328B,00000006,FlsSetValue), ref: 00C430A5
GetLastError.KERNEL32(?,00C4301A,00C113C6,00000000,00000000,00000000,?,00C4328B,00000006,FlsSetValue,00CB2290,FlsSetValue,00000000,00000364,?,00C42E46), ref: 00C430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C4301A,00C113C6,00000000,00000000,00000000,?,00C4328B,00000006,FlsSetValue,00CB2290,FlsSetValue,00000000), ref: 00C430BF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 11ee30c961c4d6f40ae4fe3faddda55f604a67f71b85d965e0743be3c2e89c81
Instruction ID: bf285a1538bcf2f727004d714edd62d1098f8657bf511b58bcced57277cfb8ec
Opcode Fuzzy Hash: 11ee30c961c4d6f40ae4fe3faddda55f604a67f71b85d965e0743be3c2e89c81
Instruction Fuzzy Hash: 7001DB32701262ABCB314BB99C85B5B7B98BF86B65B210720F915E7190D721DA01C6E0

Function 00C77464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C7747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C77497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C774CA

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4fa009b6f48a5d67b8dd8f2c76c6893c1b170531c46c893c731fed78030e7f35
Instruction ID: 036a6287b92f0908c73d6b502b18d51ccb52de491d41d8f73ebc5d326dba3033
Opcode Fuzzy Hash: 4fa009b6f48a5d67b8dd8f2c76c6893c1b170531c46c893c731fed78030e7f35
Instruction Fuzzy Hash: 6C11ADB1209318ABE7208F24DC49FA67FFCEB04B04F10C669A62AD7191D7B0E944DF60

Function 00C7B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B126

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c12b6fc05514562dc931264e18115f1b358979a7ad4be7d0fa43f50803e29de7
Instruction ID: bdc75c45712d34054b625502ed01411a3f154cc00de1774be5b39e2970d3ca01
Opcode Fuzzy Hash: c12b6fc05514562dc931264e18115f1b358979a7ad4be7d0fa43f50803e29de7
Instruction Fuzzy Hash: 5E113971E01929E7CF00AFA5E9A97EEBB78FF0A711F508086D955B2181CB305A518B51

Function 00CA7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CA7E33
ScreenToClient.USER32(?,?), ref: 00CA7E4B
ScreenToClient.USER32(?,?), ref: 00CA7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CA7E8A

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 5f3846d8e9d2271929afac0e0657f1418dc1979b5719329b1193b0f6047c62cd
Instruction ID: b5d371c2ae34d4abc2923830c53ea498b3aecfd7a548bc97870b0257c963f42d
Opcode Fuzzy Hash: 5f3846d8e9d2271929afac0e0657f1418dc1979b5719329b1193b0f6047c62cd
Instruction Fuzzy Hash: F01144B9D0020AAFDB41CF98C884AEEBBF5FF09314F505156E915E3210D735AA54CF50

Function 00C72DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C72DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C72DD6
GetCurrentThreadId.KERNEL32 ref: 00C72DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C72DE4

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c196448d35d58c6c14ec23f4d6425fb99dd31f281db65120e66bc119adbc0dab
Instruction ID: 0e8b8f84880b4bd9f690755f305473d3dca5a9d2a6762652272abfc5a098b968
Opcode Fuzzy Hash: c196448d35d58c6c14ec23f4d6425fb99dd31f281db65120e66bc119adbc0dab
Instruction Fuzzy Hash: FBE01271601224BBD7305B739C8EFEF7E6CEF57BA5F404115F609D20909AA5C941C6B0

Function 00CA8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C29693
Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296A2
Part of subcall function 00C29639: BeginPath.GDI32(?), ref: 00C296B9
Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CA8887
LineTo.GDI32(?,?,?), ref: 00CA8894
EndPath.GDI32(?), ref: 00CA88A4
StrokePath.GDI32(?), ref: 00CA88B2

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5653209a8b017fb74e96fcab77559de120307e8b6675914f81b216959ee7fb5d
Instruction ID: d7c644b41729359c36b0c9349b4911c4ba2393d193c2aae6d53d9489f28d242c
Opcode Fuzzy Hash: 5653209a8b017fb74e96fcab77559de120307e8b6675914f81b216959ee7fb5d
Instruction Fuzzy Hash: 1CF03A36045259BBDB125F94AC4DFCE3A69AF06714F448000FA11660E2CB795621DBA9

Function 00C298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C298CC
SetTextColor.GDI32(?,?), ref: 00C298D6
SetBkMode.GDI32(?,00000001), ref: 00C298E9
GetStockObject.GDI32(00000005), ref: 00C298F1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 56fccaedb3c929e5adeab25d5aa35d4590da73fd56487708e1424a00fb7f07ae
Instruction ID: ff7851e82e61b56a7fe2f12251922552047c89bcc066824ead11c24397771e9b
Opcode Fuzzy Hash: 56fccaedb3c929e5adeab25d5aa35d4590da73fd56487708e1424a00fb7f07ae
Instruction Fuzzy Hash: 29E06D31244280AADB215B74BC49BEC3F60EB1333AF048719F7FA590E1C77246809B10

Function 00C7162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C71634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C711D9), ref: 00C7163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C711D9), ref: 00C71648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C711D9), ref: 00C7164F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 911fb21e15d4ded294811b8dbac367c14bb883d71d46b526b365be2d3556e927
Instruction ID: 81706ba852b423ad8086d2562c72fbdf9bd3f738ebd3e7361770850c529bb06d
Opcode Fuzzy Hash: 911fb21e15d4ded294811b8dbac367c14bb883d71d46b526b365be2d3556e927
Instruction Fuzzy Hash: 6AE08631602211DBD7201FA49D4DB8B3B7CEF46795F188808F655CA090D6344540C750

Function 00C6D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C6D858
GetDC.USER32(00000000), ref: 00C6D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C6D882
ReleaseDC.USER32(?), ref: 00C6D8A3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2d6df768dd555a2cd7ced0b0c90e4d3393162a605f171fd40dc3d672dd461daa
Instruction ID: a9f844dd82541a9296a236c59cb3687de1dcfd39fcfe4cd9dcea4594e6d17117
Opcode Fuzzy Hash: 2d6df768dd555a2cd7ced0b0c90e4d3393162a605f171fd40dc3d672dd461daa
Instruction Fuzzy Hash: FEE01AB0800204DFCB419FA5D88C76DBBB1FB09314F108009F816E7350CB388941AF40

Function 00C6D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C6D86C
GetDC.USER32(00000000), ref: 00C6D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C6D882
ReleaseDC.USER32(?), ref: 00C6D8A3

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 31f5494e7346bfdd36a73a096d7e0ca49b56139d33e57dded313e0d645453658
Instruction ID: 67f3087fafa87b75a1094aaa9d209e4b5ec4dada22d5278db787f1c1c100bf94
Opcode Fuzzy Hash: 31f5494e7346bfdd36a73a096d7e0ca49b56139d33e57dded313e0d645453658
Instruction Fuzzy Hash: BFE092B5800204EFCB51AFA5D88876EBBB5BB09315B148449F95AE7360CB389942AF50

Function 00C1BBE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C1BEB3

Strings

pE, xrefs: 00C1BC10
w, xrefs: 00C1BBE6

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: w$pE
API String ID: 1385522511-4016300464
Opcode ID: eec651ff2e01aeda27e3c16526dd42a9fb265f847ce2c887569f206b62217937
Instruction ID: f86509f14d699379a3f92585b292fe4170540b808f804c4c5204d13663876129
Opcode Fuzzy Hash: eec651ff2e01aeda27e3c16526dd42a9fb265f847ce2c887569f206b62217937
Instruction Fuzzy Hash: 16910875A0020ADFCB18CF59C1A06EAB7F1FF5A310B248169D955AB350D771AE81EFD0

Function 00C84D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C84ED4

Strings

*, xrefs: 00C84E10
LPT, xrefs: 00C84DFB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 241c1fe5e5fa149bb4d006f361e4e937fe67a98951d11b8617043122c7bd55d9
Instruction ID: d15950b8a9921f2cddabe309642715cb9c620e5761f6923d62b009d5c9b75bd9
Opcode Fuzzy Hash: 241c1fe5e5fa149bb4d006f361e4e937fe67a98951d11b8617043122c7bd55d9
Instruction Fuzzy Hash: 08919275A002059FCB18EF98C484EAABBF1BF45308F15809DE51A9F362C731EE85DB94

Function 00C3E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C3E30D

Strings

pow, xrefs: 00C3E2E5, 00C3E302

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7624e3b0b3cde17b2ded52e2722441a51ea598752b00c333ca4c4945f6e66121
Instruction ID: b0f57e841164c79f90398cce5892df30772df8d2678d857dac04063210cef1e6
Opcode Fuzzy Hash: 7624e3b0b3cde17b2ded52e2722441a51ea598752b00c333ca4c4945f6e66121
Instruction Fuzzy Hash: 23512A61E2C2029ADB157724C9413BE3BA4FF40740F748F58E4F5822F9EB358D95AB86

Function 00C2E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C2E1B1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 262654b6368c727d16d01a7cd7e481e1f8347bc97c78de17cb1902a28d28a834
Instruction ID: 8846222410aae35b4540b71fdc69fa2126c7dfb7fc3158677d1957d1418718b7
Opcode Fuzzy Hash: 262654b6368c727d16d01a7cd7e481e1f8347bc97c78de17cb1902a28d28a834
Instruction Fuzzy Hash: F8513679500256DFDF25DF68D081AFA7BA8EF16310F244056FCA2AB2C0D7349E42DBA0

Function 00C2F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C2F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C2F2BB

Strings

@, xrefs: 00C2F2AF

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0af7c62d41b143cc205cf75583c6ee69b2889d870091b6f00a75a0f32b47f19e
Instruction ID: 7897c61a9405c8db4125bcdc3a31a3bbcef2f7e407e6328932ee64db824b38fb
Opcode Fuzzy Hash: 0af7c62d41b143cc205cf75583c6ee69b2889d870091b6f00a75a0f32b47f19e
Instruction Fuzzy Hash: C05134714087449BD320EF54D886BAFBBF8FB86300F81885DF199421A5EB308569DB66

Function 00C95745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C957E0
_wcslen.LIBCMT ref: 00C957EC

Strings

CALLARGARRAY, xrefs: 00C957E6, 00C957EB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: af15cb644904f1ad62d8f893bba2a63fd73ed2e4cf53627eba08716160150400
Instruction ID: 85b262f4c411a40b9df7c75021bae06a3cc006f581ae8ebbaf2fbd18043f36b7
Opcode Fuzzy Hash: af15cb644904f1ad62d8f893bba2a63fd73ed2e4cf53627eba08716160150400
Instruction Fuzzy Hash: A041AE71A002099FCF05DFA9C8899AEBBB5FF59724F108069E515A7291E7309E81DB90

Function 00C8D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C8D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C8D13A

Strings

|, xrefs: 00C8D10B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a4fd93a83ae857885b9e07b6a0f8bbbe9ff37520b5afaf71faf30b398b940604
Instruction ID: cc9d0f41b01070fef11f665421d0db1f619f789e0e5a5455cf699e42f7ca69c3
Opcode Fuzzy Hash: a4fd93a83ae857885b9e07b6a0f8bbbe9ff37520b5afaf71faf30b398b940604
Instruction Fuzzy Hash: 8C314F71D00209ABCF15EFA5CC85EEE7FB9FF05314F000119F816A61A5DB31AA56EB54

Function 00CA356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CA3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CA365C

Strings

static, xrefs: 00CA35BC

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ce1c8de22da757817790a869f926f5f687f802b73bae809b77fe50ee1362b4db
Instruction ID: 344692d684696b354ca99e8d2345916292fa7aebcb6e4676ed2de574e6fee0af
Opcode Fuzzy Hash: ce1c8de22da757817790a869f926f5f687f802b73bae809b77fe50ee1362b4db
Instruction Fuzzy Hash: 1131BE71500245AEDB10DF68DC90FFB73A9FF8A728F008619F9A597280DA30EE81D760

Function 00CA4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CA461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA4634

Strings

', xrefs: 00CA458E

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 318b71f12dbc4cccbb2d9cc78da374cbe211553a424a1f44c2f41c7ce726350d
Instruction ID: bc25b3435b575065800350a5b58ac8323174d15a44dcb872861c47a19683ee29
Opcode Fuzzy Hash: 318b71f12dbc4cccbb2d9cc78da374cbe211553a424a1f44c2f41c7ce726350d
Instruction Fuzzy Hash: 94311974E0120A9FDB18CFA9C994BDA7BB5FF8A304F144069E915AB351D7B0A941CF90

Function 00CA31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CA327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA3287

Strings

Combobox, xrefs: 00CA3249

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1307537f2308dd3637b947402f3aeb53ebc3332cd3e2da6a08948cee6f747a2b
Instruction ID: 2e366f6ccf4398975f655952c487388807bce03da00a97d830b207c20ad5e1c2
Opcode Fuzzy Hash: 1307537f2308dd3637b947402f3aeb53ebc3332cd3e2da6a08948cee6f747a2b
Instruction Fuzzy Hash: E811E6713002497FEF219E94DC90FBB376AEB56368F100225F92497291D6319E519760

Function 00C7EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C7EF1D

Strings

HANDLE, xrefs: 00C7EF16
pW, xrefs: 00C7EF1B

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen
String ID: HANDLE$pW
API String ID: 176396367-1987465989
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: c86bb588b2e59269a173a14bc5c3840e8acb596adc4bf91e9086d93f1d408b29
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: 7F1126735201249BE718CF99D889BADB3A8EF89725F6080EAE018CE4C4E7709F81D714

Function 00CA3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C1604C
Part of subcall function 00C1600E: GetStockObject.GDI32(00000011), ref: 00C16060
Part of subcall function 00C1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C1606A

GetWindowRect.USER32(00000000,?), ref: 00CA377A
GetSysColor.USER32(00000012), ref: 00CA3794

Strings

static, xrefs: 00CA3757

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a06b247b284e6f1b0a765e272317c72fdf273977ec65c5276c2a3c4de05a96bf
Instruction ID: 89cb4611c4132dc8e205507243055fd608077d135c0f721e817b64f939d9c45a
Opcode Fuzzy Hash: a06b247b284e6f1b0a765e272317c72fdf273977ec65c5276c2a3c4de05a96bf
Instruction Fuzzy Hash: 5F1129B261020AAFDB00DFA8CD45EFE7BB8EB0A358F004524F965E3250E735E9519B60

Function 00C8CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C8CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C8CDA6

Strings

<local>, xrefs: 00C8CD66

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 24ee5c9e7e8e12e4eabee8c2d5d3c9d9b71913744aa53bb601a1919c71acd750
Instruction ID: c1a63be00c400f3b9d336be049fc8de2b10ac5a555087777f12ba0bd2f772922
Opcode Fuzzy Hash: 24ee5c9e7e8e12e4eabee8c2d5d3c9d9b71913744aa53bb601a1919c71acd750
Instruction Fuzzy Hash: 9211A071205631BAD7286B668CC9FE7BEA8EB137A8F00423BF11983180D7709951D7F4

Function 00CA3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CA34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CA34BA

Strings

edit, xrefs: 00CA348F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e47d04e3918b005ae051d507b7efdc1deaaa1cdf94d284e1920c7af8d709f1bd
Instruction ID: c50fed5f147387fc2056b16069eb1b28842620f12ef905ecc9545e3858478337
Opcode Fuzzy Hash: e47d04e3918b005ae051d507b7efdc1deaaa1cdf94d284e1920c7af8d709f1bd
Instruction Fuzzy Hash: 97118F7150024AAFEB128E64DC94BEB3B6AEB0A37CF504724F971971D0C771DE91AB50

Function 00C76C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

CharUpperBuffW.USER32(?,?,?), ref: 00C76CB6
_wcslen.LIBCMT ref: 00C76CC2

Strings

STOP, xrefs: 00C76CBC, 00C76CC1

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d37500949dfcc9e5a37fce13763d83d1eb504fb53d94e207809af65f865e67fd
Instruction ID: 218eacbff30c41cdd68c1bafdbe6a9775a27960571a3bf634008751d190db2bd
Opcode Fuzzy Hash: d37500949dfcc9e5a37fce13763d83d1eb504fb53d94e207809af65f865e67fd
Instruction Fuzzy Hash: 8C0126326109268BCB21AFFDCC909FF33B8EF61710B104524E96697190EB31DA40D650

Function 00C71CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C71D4C

Strings

ListBox, xrefs: 00C71D16
ComboBox, xrefs: 00C71CEB

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 32aab1310725374a38893ac2a51881dc7bad3ac564de45d11f0f50f5cfaf1263
Instruction ID: 50d27e8d44c8b81814c1a55521eba9fe7c696c62a58d80b77bdc21ee898bf44d
Opcode Fuzzy Hash: 32aab1310725374a38893ac2a51881dc7bad3ac564de45d11f0f50f5cfaf1263
Instruction Fuzzy Hash: 4501FC71601214ABCB15EBA8CC61DFE7368FF57390F04461AFC76573C1EA305908AB60

Function 00C71BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C71C46

Strings

ListBox, xrefs: 00C71C10
ComboBox, xrefs: 00C71BE5

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f8a54472cb5b0bd3a878de82ce57134dbdabd24ec0408b06b04c6519a6e9a5b6
Instruction ID: 8aa64d59a9a8a1e1154335539a1629164c4bff6e34df86e22760766c544c922e
Opcode Fuzzy Hash: f8a54472cb5b0bd3a878de82ce57134dbdabd24ec0408b06b04c6519a6e9a5b6
Instruction Fuzzy Hash: B701A77578110467DB05EBD4C962AFF77A8DB13380F24401ABD5A672C1EA209F18A6B1

Function 00C71C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C71CC8

Strings

ListBox, xrefs: 00C71C94
ComboBox, xrefs: 00C71C69

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ce0df8ff80249716c3e0be024fb98c52a2067853cface005755131cf860f28fc
Instruction ID: a909011f9f9af8cd0132434bbef4ec07eea8e599ce1ceca54bfc0044e2308511
Opcode Fuzzy Hash: ce0df8ff80249716c3e0be024fb98c52a2067853cface005755131cf860f28fc
Instruction Fuzzy Hash: 4401DB7174011467DB05EBD8CA12AFF77A89B13380F144016BD46732C1EA309F18E6B1

Function 00C71D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C71DD3

Strings

ListBox, xrefs: 00C71DA0
ComboBox, xrefs: 00C71D75

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 99ca9a0af215e757f0ba16b8dc05c576ca39ba369a679d79c3aba1b166083437
Instruction ID: b7c0f8a23366056dae8d92393f520ad7501a82104d223cddd2d75025b28c17d7
Opcode Fuzzy Hash: 99ca9a0af215e757f0ba16b8dc05c576ca39ba369a679d79c3aba1b166083437
Instruction Fuzzy Hash: DEF0A471B5121467DB15E7A8CC62BFF77A8EB13390F080916BD66632C1DA705A08A6A0

Function 00C9747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C97493
_wcslen.LIBCMT ref: 00C974B9

Strings

3, 3, 16, 1, xrefs: 00C97483

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: d34cb8de1639c6710f7b9942549407b95c662ffcccb64fe9b05552182405c359
Instruction ID: 5069212646a858b83c88bd898182126d100ba6eecf2ef0eaaa4e59c55d723dde
Opcode Fuzzy Hash: d34cb8de1639c6710f7b9942549407b95c662ffcccb64fe9b05552182405c359
Instruction Fuzzy Hash: CCE061023363201097351279DCC5B7F578DCFCD760B14192BF985C2267EA94DE91A7A0

Function 00C70B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C70B23

Strings

AutoIt, xrefs: 00C70B17
Error allocating memory., xrefs: 00C70B1C

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1f66f73eaab1827615b756ff56a0e8d29a8f036e24af20c96dff289186381bf3
Instruction ID: e27469d67d84821241c09ae12a4a3bf8c846f8d99cb1dae38af7ad51819560fe
Opcode Fuzzy Hash: 1f66f73eaab1827615b756ff56a0e8d29a8f036e24af20c96dff289186381bf3
Instruction Fuzzy Hash: FDE0D83124431826D21437547C43F897A848F06B25F10043BF758955C38EE1659166E9

Function 00C30D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C2F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C30D71,?,?,?,00C1100A), ref: 00C2F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C1100A), ref: 00C30D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C1100A), ref: 00C30D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C30D7F

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 821d13663de54b74360534878147e7f6bc901071e3f1a52c99bcf2ac346fc91a
Instruction ID: 68e876f3cc7322140a3c679b13fe0d2b0fb1034ca9823740f3af8eabd3152f8c
Opcode Fuzzy Hash: 821d13663de54b74360534878147e7f6bc901071e3f1a52c99bcf2ac346fc91a
Instruction Fuzzy Hash: D7E06DB02007518BD7209FB8E45834A7BE0AB05748F104A2DE482C7651DBB4E4859B91

Function 00C83017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C8302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C83044

Strings

aut, xrefs: 00C83038

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 725bff7603fc62b5b160e24f8090e91e83cd6322f01574843907eab221fa8de6
Instruction ID: d97b3adf468154d3b809746aa539223165fa043a1f2a508fe3c75a7823b5297e
Opcode Fuzzy Hash: 725bff7603fc62b5b160e24f8090e91e83cd6322f01574843907eab221fa8de6
Instruction Fuzzy Hash: 28D05EB250032867DA20A7A4AD4EFCB7B6CDB05754F0002A2B696E3191DBB49984CAD0

Function 00C6D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C6D220

Strings

%.3d, xrefs: 00C6D22B
X64, xrefs: 00C6D2A8

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 188f9ec5fa5f3dcf9ad37beb073ee2e7d134fc0610dfe2fe7364214cfb66a9a7
Instruction ID: 5bc4e8b313ffcf39edc8827152a7bf6a901c72579920c961e4974df1ff2d42bb
Opcode Fuzzy Hash: 188f9ec5fa5f3dcf9ad37beb073ee2e7d134fc0610dfe2fe7364214cfb66a9a7
Instruction Fuzzy Hash: 88D012A1D08118EACBA096D2DCD59B9B37CAB18301F508462F90792040E734C9086761

Function 00CA2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA236C
PostMessageW.USER32(00000000), ref: 00CA2373

Part of subcall function 00C7E97B: Sleep.KERNEL32 ref: 00C7E9F3

Strings

Shell_TrayWnd, xrefs: 00CA2365

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2950ca9a6a52f57b264064dcfdf42b8de20fecff6972bae2d1d1c75eb7172dfd
Instruction ID: 7bd559cecf928f9f2713a1c422290344982fafef841786108d142048714658eb
Opcode Fuzzy Hash: 2950ca9a6a52f57b264064dcfdf42b8de20fecff6972bae2d1d1c75eb7172dfd
Instruction Fuzzy Hash: FFD0C9327853107AE664A771AC4FFCA76149B16B14F0149167755AB1D0C9A0A841CA54

Function 00CA2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CA233F

Part of subcall function 00C7E97B: Sleep.KERNEL32 ref: 00C7E9F3

Strings

Shell_TrayWnd, xrefs: 00CA2325

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a7325656309037ae97e03dd69f7650d747481e20f9eae4d556ff51ef8afb3c18
Instruction ID: f636260ab1c92fd49d4b55f99f0fb9799494ff4b89203d61efdaab9f8c5b6c1d
Opcode Fuzzy Hash: a7325656309037ae97e03dd69f7650d747481e20f9eae4d556ff51ef8afb3c18
Instruction Fuzzy Hash: 64D01237794310B7E664B771EC4FFCA7A149B15B14F0149167759AB1D0C9F0A841CA54

Function 00C2F7E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(0001040F), ref: 00C2F7EA

Strings

hw, xrefs: 00C2F804
w, xrefs: 00C2F7F0

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: DestroyIcon
String ID: w$hw
API String ID: 1234817797-3855683033
Opcode ID: 6576da16fa1c257bab8364468f55e6d6ae6334a02d8715bae9c3581684393bda
Instruction ID: 3ee3156a4cdc782bdc222d27ab4dfb17460d7268b582b964eeb4c0067abf0662
Opcode Fuzzy Hash: 6576da16fa1c257bab8364468f55e6d6ae6334a02d8715bae9c3581684393bda
Instruction Fuzzy Hash: 43C012B0B00286476B0837AA69B53B8219AEBC770070800382B12C77E0CE3088B0B6B2

Function 00C4BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C4BE93
GetLastError.KERNEL32 ref: 00C4BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C4BEFC

Memory Dump Source

Source File: 00000000.00000002.1796416628.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1796379833.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796522604.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796623524.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1796659042.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 5dbc43dfcd3cd6ff670fad9de0ebe89c1781e6a1d727fab9f713736abc3852e4
Instruction ID: ce0a9e41b9cedf1470d40aa765156cdcfccc6d4f1a2334665f12e7447b7cc076
Opcode Fuzzy Hash: 5dbc43dfcd3cd6ff670fad9de0ebe89c1781e6a1d727fab9f713736abc3852e4
Instruction Fuzzy Hash: A241B338604206AFEF25CFA5CD84BAA7BA5BF42320F144169F96D971A1DB31CE05DB60

Analysis Process: firefox.exePID: 7572, Parent PID: 6984COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000019C12886332 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000019C12886397

Strings

#, xrefs: 0000019C12884705
A, xrefs: 0000019C1288638F
4, xrefs: 0000019C1288A419
z, xrefs: 0000019C12887976
#, xrefs: 0000019C128863C2
>, xrefs: 0000019C128863F9
>, xrefs: 0000019C1288719C
z, xrefs: 0000019C128863CB
#, xrefs: 0000019C12887471
>, xrefs: 0000019C1288A43F

Memory Dump Source

Source File: 00000011.00000002.2989524134.0000019C12884000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000019C12884000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_19c12884000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: e10d8239f33d8e3765b3e6085d9dc83ebc86d5ba2686bc60e452adea01cbcf3d
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: BFA3E531618A498BEB2DDF18DC956E973E6FB98300F14423ED88AC7256DF34E91287C5

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1846313703.0000025DC1819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1848783930.0000025DC1853000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1846313703.0000025DC1819000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1856155169.0000025DC1853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1848783930.0000025DC1853000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1942178034.0000025DC7D6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1964395077.0000025DC7FD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1848783930.0000025DC1853000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1846313703.0000025DC1819000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1856155169.0000025DC1853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1848783930.0000025DC1853000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1942178034.0000025DC7D6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1964395077.0000025DC7FD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1847103225.0000025DC0EEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1847103225.0000025DC0EAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1848783930.0000025DC1853000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1942178034.0000025DC7D6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1964395077.0000025DC7FD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1848783930.0000025DC1853000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1942178034.0000025DC7D6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1964395077.0000025DC7FD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1999014519.0000025DC1E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1962695271.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1983230044.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940532313.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1962695271.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1983230044.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940532313.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1962695271.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1983230044.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940532313.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1962695271.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940532313.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/p equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1962695271.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940532313.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/p equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1962695271.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1940532313.0000025DC979A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/p equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1847103225.0000025DC0EEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1847103225.0000025DC0EAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1847103225.0000025DC0E4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:61031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:61032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:61033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:61036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:61037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:61038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:61039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:61112 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:61111 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:61113 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 61029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 61111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 61038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61031
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61033
Source: unknown	Network traffic detected: HTTP traffic on port 61039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61111
Source: unknown	Network traffic detected: HTTP traffic on port 61035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61113
Source: unknown	Network traffic detected: HTTP traffic on port 61274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61037
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61038
Source: unknown	Network traffic detected: HTTP traffic on port 61113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 61033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d9523c2c-1f83-407d-8b80-8d842bf553ce.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d9523c2c-1f83-407d-8b80-8d842bf553ce.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre